Here are the dos and don'ts when hiring healthcare cybersecurity pros
Healthcare organizations are wrestling with a vast number of cybersecurity job openings and the dearth of cybersecurity professionals to fill those roles.
Fifty-eight percent are training existing staff in new security skills, 53 percent are using contractors, 36 percent are employing managed security service providers (MSSPs), and only 31 percent are hiring new staff, according to Daniel Kennedy, a director at 451 Research
Kennedy said it is particularly telling that hiring new staff is the fourth option to addressing the problem. But there are steps healthcare organizations can take to make finding and hiring a cybersecurity professional less challenging.
“A larger health organization is usually looking to hire either a senior strategic security leader or a highly specialized security role,” Kennedy said. “To the extent they’re not finding those things, they must first look to the job specs they’ve put together. I can’t tell you how many job postings I’m asked to review by colleagues who have no concept of the salary ranges security professionals are making.”
Their second mistake is one made across tech: They push out a desired skill list a mile long that has little actual bearing on the role they’re hiring for and that human resources or a recruiter incorrectly screens out qualified candidates with, Kennedy said.
“Finally, healthcare organizations should be open to hiring outside of their industry, especially if the security resource being considered has experience in another highly regulated industry,” he added.
And if salary range is an issue, benefits can be used to lure qualified cybersecurity pros to a healthcare organization.
"Human resources studies have shown there are other reasons that attract people to jobs and cause them to stay, things like education benefits, a meaningful mission, interesting work, a good team environment, location, etc.,” said Mac McMillan, president and chief strategy officer at CynergisTek. “Most cybersecurity specialists by nature are curious and interested in constantly learning. So one approach that is attractive is making sure there is an opportunity to continue their learning or a dedicated training allowance.”
Another strategy is stressing the service ethic associated with healthcare, which is especially attractive to those coming out of the military who have a strong service ethos, McMillan added.
“Another tactic is describing the nature of the work and the many challenges they will face,” he said. “Cybersecurity personnel are by definition warriors who experience their own sense of reward by thwarting bad people and bad things from happening.”
And last but not least, healthcare organizations can demonstrate to cybersecurity professionals a strong cultural commitment to information security, McMillan advised.
“Ensuring the position reports to a senior executive, having a defined governance structure, allocating a dedicated security budget, having leadership participate in interviews of candidates,” he said. “Cybersecurity professionals more than anything want to work in organizations where they feel they are supported and will be able to make a difference.”