Healthcare CISOs: Master these skills, delegate the rest
Information security is becoming so specialized that the chief information security officer is the leader of the cyber pack. As a result, the CISO must gain as much knowledge as he or she possibly can – while at the same time hiring a team of individuals, each of whom has specialty knowledge in areas that need coverage within the institution.
"In the same way that other C-level executives don’t personally have every area of specialization that may report to them, CISOs won’t either," said Jeff Pollard, a Forrester Research principal analyst who specializes in cybersecurity.
"What CISOs should do is what other executives do: Build a team of specialists, and seek outside expertise in the form of industry analysts, consulting and professional services, and managed security services, to provide the expertise the CISO needs as it arises," he said.
Instead of becoming an expert on everything, a CISO can become an expert on delegating areas and identifying the experts they can trust to provide the right answers, Pollard added.
Take the HIPAA Security Rule, for instance. All covered entities and business associates are required to appoint a "security official" with responsibility for administrative, physical and technical safeguards to protect electronic protected healthcare information.
The rule also states, "More than one individual may be given specific security responsibilities, especially within a large organization, but a single individual must be designated as having the overall final responsibility for the security of the entity’s electronic protected health information."
Hospitals and health systems are challenged in finding one person who can perform all these tasks. It would be like trying to find one physician who can treat all patients, from pediatrics through geriatrics, and all diseases, from chicken pox to cancer.
What CISOs need to know
But CISOs do need a particular set of skills and security expertise to allow them to do their job as successfully as possible.
"Cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness, human resources, staff training and business continuity management," said Clyde Hewitt, vice president of security strategies at CynergisTek, a consulting firm focused on privacy, security and compliance in healthcare.
"The basic skills needed are executive leadership, risk management, budgeting, and a good understanding of compliance, audit, and technology," he said.
The harder skill to find is the ability to translate complex technical and security concepts into terms that C-level executives can clearly understand, Hewitt added. The CISO needs prior experience in many of the fields including security, but they do not necessarily need to be a current expert in all, he said.
"Their role is primarily to translate the cybersecurity needs of the covered entity into business terms that the C-suite and board can understand, then take direction and translate needs into technical guidance and programs that others can help implement and operate."
When it comes to staffing up, CISOs need to be keenly aware of their organization’s needs and shortcomings and of areas where they themselves need help.
"CISOs should identify the business critical areas that they can and should staff, and identify the areas of specialization that are important, but not business critical where they can turn to external experts," Pollard said. "Skilled security leaders know the right mix of internal headcount and external expertise extends security budgets."
CISOs need to match skills based on how their organization is transforming to make use of technology.
"That may sound simple, but as technology continues to change every industry, matching skills to technology change is vital to delivering superior security outcomes," Pollard explained. "For example, many of the healthcare organizations I speak with make extensive use of third-party service providers to run software, infrastructure and medical equipment. That CISO should make sure the security architects on their team understand zero trust network segmentation and third-party risk management as key skills."
Security architects that understand locked-down, self-managed applications and devices will not succeed because they lack alignment with the rest of the decisions being made within the organization, Pollard contended.
What to look for when hiring
Hewitt offers some tips for healthcare CISOs when hiring staff to meet the needs of security architecture, security engineering, security analysis, security compliance and risk management.
"First, organizations need to recognize that cybersecurity is not an IT issue but an enterprise issue," he said. "Therefore, it would be best to align responsibility with the expectations of the HIPAA Security Rule. As only 22 percent of the HIPAA Security Rule Standards and Implementation Specifications are technical, the remaining 78 percent are non-technical. Therefore, consider placing the CISO role within the organization so that the individual has direct authority over the entire spectrum of requirements."
Second, create job descriptions embracing the full spectrum of cybersecurity requirements, then get external help assessing accurate pay bands for each role, he said. Given the supply and demand imbalance, qualified individuals will expect rates higher than many organizations may be prepared to pay, he said.
Why cybersecurity is top of mind for forward-looking healthcare orgs.