Outsourced cybersecurity staff, one way healthcare is getting around the talent shortage
The overarching cybersecurity theme of summer 2017 is shaping up to be a widespread infosec talent shortage against the backdrop of fear that arose after the WannaCry ransomware threats happened. Adding to the chaos are predictions that more attacks are not only coming, but will be far worse when they hit.
That scenario is opening doors for managed security services providers, managed detection and response firms and virtual CISOs contracting with hospitals to keep them safe.
Managed Security Services Providers
Like third-party managed services providers that tend to many of the day-to-day tactical details of dealing with IT, MSSPs do the same for data security, taking on responsibility for maintenance and upkeep and doing the monitoring and the tracking of issues as they emerge inside or outside of the organization they are servicing.
MSSPs are doing a lot of work in the age of the hacker, which is why some healthcare organizations are turning to MSSPs in the first place.
“Healthcare organizations will partner with MSSPs to act as their security operations center and consume critical data surrounding events and alerts that could be indications of a problem; 24 hours a day, they are responsible for alerts and the first sign of an intrusion or potential exposure,” said Christopher Ensey, chief operating officer at Dunbar Security Solutions, among other things a managed security service provider.
Healthcare has been lagging in IT security, and MSSPs are a way to add that competency quickly, said Bill Ho, CEO of Biscom, a secure document and messaging systems company.
“Sometimes more specialized expertise is needed,” Ho said. “Much like your doctor referring you to a specialist, an internal IT department may not have specific and in-depth knowledge around security. With the speed at which threats change these days, it’s no surprise that many organizations are finding that managed security service providers can help them fortify their defenses.”
The advantages are personnel steeped in the security space and able to keep abreast of the latest threats and concerns, and services that can be quickly scaled up or down as incidents appear and are resolved rather than adding permanent headcount, which is not only expensive but hard to find, Ho said.
Managed Detection and Response
While MSSPs handle cybersecurity broadly, MDR firms specialize in pinpointing security incidents and crafting an appropriate response.
MDRs leverage both manual and automatic analysis to give organizations a better chance of defending systems against cyberthreats. And the services are tailored to meet the specific needs of each organization.
"MDRs and MSSPs are rushing to the market. That's going to be a help to the industry once the security market sorts itself out,” said Kurt Hagerman, CISO of security firm Armor. “If they can take advantage of the security people need, that will be one potential solution to the problem."
The virtual or regional CISO
Another alternative is to hire a regional or virtual CISO. This infosec expert typically brings both experience and certification with a background specific enough that it enables her or him to hit the ground running and make necessary recommendations. And it doesn’t hurt if they are part of a larger organization.
“Virtual CISOs are assigned to a specific account, but that designated CISO can draw on anyone else in the company with whatever the organization needs,” said Mac McMillan, CEO of CynergisTek, which offers virtual CISOs for hire. “They basically get the benefit of many CISOs -- with just one.”
That bodes well for both the regional CISO and customers because they essentially have an entire team at their fingertips.
What about a tools-centric approach?
What with the infosec staffing crisis, and outsourcing options such as MSSPs, MDRs and virtual CISOs gaining a foothold in healthcare, some experts see hospital strategies evolving beyond the next big thing in security technology.
“It’s not a very good use of a relatively high-salary security specialist’s time to comb through logs on a daily basis and review reports every day and investigate every little alert that fires off of a device,” Dunbar’s Ensey said. “Organizations want these highly compensated security professionals to lead a security strategy.”
What’s more, Hagerman added that the current approach of chasing bright shiny objects without necessarily then having the expertise, personnel or financial wherewithal to effectively use that tool is driving many hospitals away from a security tech approach and toward service providers.
“We’re about 500,000 security professionals short of the needed jobs,” Hagerman added. “There’s just not enough security professionals to go around.”
Associate Editor Jessica Davis contributed to this report.