How to become a cybersecurity superhero
There are countless arch-villains out there setting their sights on healthcare organizations, with evil plans to wreak havoc via information technology and, in certain cases, even hold data and systems hostage. A world filled with villains requires superheroes to combat these disreputable foes. And many learned CIOs and CISOs – and other security professionals – are going above and beyond in protecting their healthcare organizations.
But what does it take to be a cybersecurity superhero? A great security worker has a variety of character traits and professional abilities.
“A good leader needs to be able to balance the proper security requirements for protection of the organization and at the same time understand and allow the organization the flexibility for speed and innovation,” said Phil Alexander, director of information security and ISO at UMC Health System and a speaker during the session “How to Become a Healthcare Security Superhero” at the HIMSS Healthcare Security Forum, September 11-13 in Boston.
Another trait is speed, Alexander stressed, because of all the business leaders, infosec executives are in a losing battle with time.
“The bad guy will always be one step ahead,” he said. “Whereas ‘speed’ may not seem like a trait, it is the fear or adversity to speed which can cause a leader to not be able to respond quickly enough. A leader needs to possess the ability to think and change quickly in an industry which is not prone to do so.”
Kim Jones, director of the cybersecurity education consortium at Arizona State University, outlined four attributes security professionals must possess and continue to perfect.
The first, he said, is a high level of technical skills, as both the technology and the threats against the technology continue to evolve. The second is excellent critical thinking skills, he said, going beyond simple problem-solving and getting to an ability to truly “see” the “three-level chessboard” and maneuver on it masterfully.
“Also, an understanding of the tenets of governance, risk and compliance,” Jones said. “Governance, risk management and compliance and assurance alone won’t solve cyber issues – but neither will technology. We need to avoid hyperbolically swinging the pendulum away from GRC in favor of technology and remind our professionals that both aspects are needed.”
And finally, Jones listed another attribute of high-functioning security professionals: superior communication skills.
“We need to be able to relay our ideas in a clear, cogent fashion – both verbally and in writing – to all constituents within the business,” he said. “The emphasis within the community seems to be drifting away from this point, to our peril. Having a great idea is fantastic. If you can’t communicate that idea and why it’s necessary, it won’t be adopted.”
Mansur Hasib, program chair, cybersecurity technology, at the graduate school of the University of Maryland University College, and author of the book “Cybersecurity Leadership,” sums up the traits of a cybersecurity superhero.
“In the current connected world, cybersecurity is a perpetually improving process of managing risks, incident response, fine-tuning behaviors, continuous learning, continuous monitoring,” Hasib said. “The most important character traits of a cybersecurity professional are integrity, empowerment, teamwork, customer service, continuous improvement and positive reinforcement.”
Cybersecurity is not a “one-brain sport,” Hasib added, saying the key is to build an organizational culture where everyone embraces and practices these traits.
Thinking of cybersecurity superheroes that can achieve great success in the battle against nefarious hackers, a question naturally arises: To be a cybersecurity superhero, does an individual need to be a member of the C-suite? Does he or she need to be a CIO or a CISO? The experts disagree slightly on this point.
“Security superheroes do not necessarily need to be in a C-level position if they can adequately communicate to upper management the ‘why’ of cybersecurity,” Alexander said. “If the security superhero can show value and include upper management in the decision, then what will happen is the executive leadership will be on the hook if something goes wrong.”
Executive leadership is more apt to back security initiatives and the security leader if they are part of the process; this allows for a team effort rather than using a title as a hammer to get things done, Alexander added.
A cybersecurity superhero does not necessarily need to be a C-level executive, but it helps, said Keith Fricke, partner and principal consultant at tw-Security and a speaker during the session “Soft Skills and Other Keys to Effective Security Leadership” at the HIMSS Healthcare Security Forum, September 11-13 in Boston.
“A security professional in the role of CISO or information security officer can often be more successful when his or her position has some level of authority,” Fricke said. “Implementing security requires effecting change. Having some authority helps achieve that change. At a minimum, an information security officer needs to have the support of senior leadership in maturing the organization’s security program.”
In the end, a cybersecurity superhero must be, as expected, a leader. That does not necessarily mean they must be in a leadership position, per se, but they must demonstrate and use the principles of effective leadership.
“The key to effective leadership is to lead, not manage,” Jones said. “It’s also to ensure you don’t mistake one attribute – management – for the other – leadership.”
Ironically, there are very few courses and degrees on leadership, despite it being a talent that organizations continue to want, recognize and look favorably upon, Jones added.
“Like anything else,” he said, “if you want to be a good leader, you need to educate yourself on and continue to study leadership.”