6 understandings of a successful CISO

By Tom Sullivan
08:07 PM
Be a change agent. Not a chief scapegoat officer. 

SAN FRANCISCO — Chief Information Security Officers’ job is getting harder. But that opens new opportunities to make a more immediate and positive impact on the broader organization.

On top of the rushing stream of ransowmare attacks, data breaches and HIPAA violations, CISOs have to deal with more and more aspects of their organization, including communications, operations and strategy, according to Kim Jones, Director of the Cybersecurity Education Consortium at Arizona State University.

“Stop thinking of yourselves as gatekeepers or guards,” Jones said here at the HIMSS and Healthcare IT News Privacy & Security Forum. “We are change agents. Everything we do causes the culture of the organization to transform and transformation is a big deal.”


During a session, "Zen and the Art of Transformational Security," Jones shared six things that every security officer needs to understand to make a significant impact — and have a successful career. 

1. The business. A common big weakness is CISOs who don’t understand the business and, instead, lean too much on frameworks, processes and trying to fit a square peg into a round hole. Taking time to truly understand what the business does helps CISOs have a positive impact on the business model. “You cannot operate in a vacuum.”

2. The culture. Nearly every hospital in an integration of people, behavior patterns, assumptions, attitudes and ways of doing things, Jones said. So it’s important to understand those as well as four cultural drivers: top down, bottom up, inside out and outside in.

3. The audience. This includes the overall company, shareholders, customers, and others. “There are different sources of meaning so figure out the organization’s primary source of meaning and incorporate as many sources of meaning as possible.” Simply telling employees that IT is going to put in a new security process that is going ot frustrate customers is a mistake, and doing so without explaining the reasons or benefits is even worse.

4. The message. Jones broke this into three types: care, consensus and crisis communications. CISOs have to understand what each means to the organization to grasp the unique challenges, such as “if you see something say something” or “don’t copy that floppy,” as examples that can lead to better security actions. “Know what type of communication you are doing and what you want the outcome to be,” he said.

5. The value. Jones said the first thing to remember is that if security is not part of the value construct you already have an uphill battle because what you’re doing is perceived as a roadblock. What’s more, CISOs typically don’t articulate the value of security very well. And while most organizations have a healthy tension between stated value and implied value, that construct should impact the decision process and security chiefs need to communicate that value.

6. Yourself. This means understanding your leaderships style and management style, and Jones listed different types: technical, managerial, sustaining, transformative and well-suited to large or small organization. He also recommended taking tests like Myers-Briggs. “Take the time to understand who you are what you are about in a somewhat quantitative action,” Jones said. “Be honest with yourself. It will make you a better leader and better manager.”

Jones’ bonus advice: Buy a $500 Starbucks card because not all of your colleagues and the people you want to meet with will have time for a meal but almost everyone in the organization can meet you for a cup of coffee – that’s been a great investment, he said. 

Twitter: SullyHIT
Email the writer: tom.sullivan@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn