CISOs and CIOs: Why can't we be friends?
When Barry Caplin stood onstage in Chicago at the most recent Healthcare IT News Privacy & Security Forum this summer, he put it plainly: "I'm going to talk alignment. And connections. And outreach."
Caplin, chief information security officer at Minneapolis-based Fairview Health Services, paused for a moment.
"And love! How about some love for the security industry? Because none of us got into to security to be popular. In fact, quite often, when security comes a lot of folks are going in the opposite direction. They don't wanna see us."
The title of Caplin's presentation, which delved into the often fraught relationship between hospital CISOs and their close colleagues, chief information officers, was "CISOs are from Mars, CIOs are from Venus."
After all, these are two C-suite roles that have very important jobs – and different ways of looking at things.
"We come from different worlds," Caplin said. "I'm a security person. I come from a technical background. I was a developer, I've done all those geek things. A lot of people who have moved up to a CISO role, a lot of folks in that area come from a technical background. We're engineers, we want to fix things. "
Meanwhile, "a lot of IT folks, CIOs in particular," come from the business side. They think in terms of budgets and project management.
That means two separate groups that speak different languages, strategize using different techniques and use different tools.
"I'm the CISO, and I can wield the Sword of Antivirus!" he said, to laughter. "Or make it the Lightsaber of Total Endpoint Protection! Or the Shield of Next-Gen Firewall!"
But CIOs brandish an entirely different set of weapons: most notably, "the Scepter of IT Budget."
Not for nothing, "it's hard for (CISOs) to do our jobs without that critical tool," said Caplin.
[See also: Should CISOs have as much power as CIOs?]
Coming from these very different viewpoints, relationships between CIOs and CISOs can at times be contentious. But that has to change.
First step? Understand where each other is coming from.
"In security when we talk about threats, we're thinking about hackers, about malware," said Caplin. "Nation-states. Hacktivists."
But CIOs have a different idea of threat and risk. "Being overtime and over-budget," he said, are atop the list of things that keep them up at night.
Security folks think in terms of the classic probability/impact matrix, and how to balance threat response accordingly: "For a CIO, not meeting the business need is a core, critical risk."
Understanding those different worldviews is key to overcoming friction points and moving toward a common goal. After all: HIPAA breaches, hacks and cyber attacks affect everyone. They're not just problems for CISOs. They're one of the biggest threats to the very business continuity CIOs are sworn to defend.
"We've got to figure out how we get together and meet in the middle," said Caplin. "We need to unite against that common enemy."
Key to doing that is thinking hard about "the way we use the language," said Caplin. It's critical to "make sure we are putting the security risks in terms that are going to resonate with our partners in IT, with our partners in business."
He suggested some key opportunities for finding common ground, such as working with CIOs on enabling more widespread – and safer – use of mobile and cloud-based tools.
"If you're a security person and you're saying no to these things, you have already lost," said Caplin. "If you think you do not have personal devices in your environment, you are wrong. If you think that you're internal information is not going out on cloud services, you are wrong. We've got to embrace this stuff. It's 2015."
A security and IT staff that's on the same page, that offers a united front on providing the best tools for care delivery, can pay dividends, he said.
"We have smart people out there. We need them focusing on the work they have to do. We're in the business of providing healthcare, and we need to remember that as we try to get our needs met."
Too often, said Caplin, security is seen by others in the C-suite a cost center. "I think that's a mistake. We have a lot of value to bring to the table. And I think we have to start talking in terms of that value."
Toward that end, he put forth the concept of "security as an enabler": a full engagement of the CISO and his or team with those in the IT and clinical trenches. He pointed to one recent insight that led to a security streamlining that saved 15 seconds per log-in.
Multiply that by "50 logins per day, per clinician, per site," and it adds up to some real efficiencies.
"Let's get together on this stuff and see if we can get together further upstream earlier in the process," Caplin said to his fellow security professionals. "We can help influence what's going on."
In the business called healthcare, "where it is absolutely critical that we spew and spray data across all parts of our organization, all the time," the CISO has a central role to play. A healthy relationship with the IT department is essential to maximizing its impact, he said.
"Go out to your CIOs and talk about these things: 'What problems am I causing for you? What do you hate about security and IT?'" said Caplin. "They'll tell you all kinds of stuff. And then you can start partnering to solve the problem."
|CISOs: Healthcare's new rock stars|