Time to ditch the 'security team of yesterday'
Data security isn't what it used to be. With today's threat landscape, the stereotypically introverted, more-into-computers-than-people techie isn't going to cut it as CISO. And there are plenty of people who will tell you why.
"You can have the most stellar security team," said Connie Barrera, chief information security officer of the six-hospital Jackson Health System in Miami, "and if they're the security team from yesterday – the ones in that dark room behind the locked doors that were really unapproachable, never really seen and never interacted with people – that's a problem," she said.
For Barrera, things like cybersecurity and access management are integral to the work she does. But creating a culture – one of "security empowerment," and also visibility – are king. "We need to get out there and talk to our users," she said.
"We need to get out there and talk to our users."
Barrera strives to regularly communicate with every business unit across the Florida-based health system. She makes sure they know the latest happenings on HIPAA, payment card industry data security, PII, etc. She also gives regular power points on the topics. As Barrera sees it, it's about engaging with folks and letting them know that security is everyone's responsibility.
This practice is "very time consuming for me, but the payoff is huge," she said. "The fruit of that effort is we have people around the organization mentoring others, saying, 'you're not really supposed to do that.'"
And when you only have three full-time employees, like Barrera, and you're responsible for the security of 13,000 end points and more than 2,800 servers, every bit helps.
It's a good practice – one that Barrera and her team are not alone on.
"We have a direct line of sight from the chairman of the board, who sits on the committee, all the way down to the individual employee," said Ed Marx, then chief information officer at Texas Health Resources last summer, describing his security task force. Every two months, Marx and the CISO at Texas Health sat before the audit committee and the board.
And when asked how big his security team was at the 25-hospital health system, Marx, who this spring accepted a post at The Advisory Board, didn't hesitate: "24,000" – which happens to be the total number of people the health system employed at the time.
It seems straightforward that if many CISOs are emphasizing the people and processes part of it all, they must spend the lion's share of their time on it, right? Not necessarily.
In fact, according to Deloitte data, CISOs across all industries dedicate nearly 80 percent of their time to technical related aspects of their position – this despite the fact they'd ideally like to reduce this number to 35 percent.
Today's CISO has to be different than they may have been in the past. The business case simply demands it.
As one Wisegate healthcare CISO member put it: "You have to be friendly, able to communicate well, a salesman of sorts, have people respect you and have a high level of common sense."
Wisegate, a research service and community for senior IT professionals, recently published a survey on the most important skills for security leads, as rated by its members. And top of the list? Collaboration at 80 percent.
Meredith Phillips, CISO of the Henry Ford Health System in Detroit, appeared to echo that sentiment.
"If we can't capture the hearts and minds of individuals that are engaging with data and systems and applications in order to take care of patients," she said. "No amount of technology that I put in place will ever solve that problem."
Phillips describes Henry Ford's employee education program iComply as "robust." Each year, all 23,000 employees are trained and educated on privacy and security. "That's been a huge success for us," she said. The education completion rate is roughly at 99 percent, which is "really unheard of," she said.
It helped that the executive leadership together with the board was supportive every step of the way. They've "really got behind those initiatives in a way where it's become a service expectation," she said.