Strategic CIO // Executive Insights & Innovation
Commentary
7/7/2014
09:06 AM
Mansur Hasib
Mansur Hasib
Commentary
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Don't Set The CISO Up To Fail

More healthcare organizations are hiring CISOs -- a good thing. But bad management structure, insufficient resources, and poor understanding of risks often doom these newly appointed security executives.

My 2013 national survey of healthcare organizations discovered that about half the CIOs in healthcare report to CFOs and other executives, and not the CEO. This structure is dangerous for both the organization and the CIO for several reasons.

First, the CIO's pay is reduced -- at least a full grade level lower -- than it should be. Second, the CIO cannot participate in organizational strategy meetings because of rank.

Most important, the CFO and other executives run IT and cyber security strategy, instead of the CIO. IT department pay, including that of the chief information security officer (CISO), is lowered, making it challenging for the healthcare organization to acquire and retain top talent. Finally, the CIO becomes an ideal whipping post for any failures, but other executives are well protected, even though they make the final decisions.

[Why did Oregon's Obamacare site flop? Read Oracle Documents: Politics Sabotaged Oregon Healthcare Website.]

With the fall of Target's CEO, things appear to be improving. At every conference I attended recently I learned that CEOs and boards are now very engaged in cyber security discussions. Many are scrambling to hire their first CISOs. Because healthcare organizations' security lags behind retailers, it's even more critical for the nation's hospitals, clinics, and practices to recognize the value CIOs and CISOs deliver.

My survey also found many healthcare organizations pay insufficient attention to cyber security: In fact, 21% do not plan to have a CISO in the near future.

(Source: Impact of Security Culture on Security Compliance in Healthcare in the USA by Mansur Hasib, 2013)

(Source: Impact of Security Culture on Security Compliance in Healthcare in the USA by Mansur Hasib, 2013)

The new breed of healthcare CIOs will have to include a strong cyber security strategy in their IT strategy, which in turn will drive the strategy for the entire organization because IT is the life blood of most organizations today. Some of these CIOs could come from the ranks of today's highly qualified and strategic CISOs -- people who understand business risks, can tailor strategy to mission, have continually learned (by earning appropriate advanced degrees and certifications), and have demonstrated cyber security leadership.

Although I am glad CEOs and boards are waking up and realizing the importance of cyber security strategy, a few observations concern me. Some CEOs and boards are engaging their IT and cyber security staff to "make sure this does not happen to us" -- without really understanding what cyber security or cyber security leadership is. Some departments are getting their cyber security budget doubled -- without even asking. Yet these organizations remain focused on a compliance culture that is expensive, tactical, and regressive. In addition, despite serious shortcomings, some organizations are even embracing the new NIST Cybersecurity Framework as a badge of honor and adopting it as an auditing standard.

However, any organization that spends money on cyber security as a separate component of the IT budget is approaching it wrong. Cyber security must be baked into the entire IT strategy.

During my 30 years of managing IT and my 12 years as a CIO in healthcare, biotechnology, and education, I never spent on cyber security as a separate component. I always focused my IT strategy on the organization's mission. I always implemented systems and technology with the goals of maximizing confidentiality, integrity, and availability, using a balanced mix of technology, policy, and people while perennially improving over time.

I used a risk balancing (of both positive and negative risks) approach to prioritize spending, frequently using a multi-year transparent vision. I empowered and trained all the people in my organization, ensuring they could use technology to make themselves more productive and innovative. I implemented a governance framework that encouraged teamwork, fun, transparency, continual learning, and a virtuous culture of innovation and safety. This is what modern cyber security is and what a cyber security culture can achieve.

Pursuing compliance is like planting annual flowers. They look great for a short while. Then they die and get more expensive each year. Compliance in technology and policy does not govern behavior of people; culture does. We should invest in a cyber security culture and gain the benefit of perennial flowers. They improve in quality, abundance, and size each year and you can even divide them and spread them around your garden. It is time for cyber security leadership.

Here's a step-by-step plan to mesh IT goals with business and customer objectives and, critically, measure your initiatives to ensure that the business is successful. Get the How To Tie Tech Innovation To Business Strategy report today (registration required).

Mansur Hasib is the only Chief Information Officer (CIO) in the world with 12 years' experience as CIO, a Doctor of Science (DSc) in information assurance, CISSP (cybersecurity), PMP (project management), and CPHIMS (healthcare) certifications, who has written two books ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Alison_Diana
50%
50%
Alison_Diana,
User Rank: Author
7/8/2014 | 9:20:12 AM
More Than Words
In one way, it's encouraging to learn that more healthcare organizations recognize they must hire a c-level executive to oversee security, realizing security responsibility is more than the CIO can take on. On the other hand, your points about management structure resonate -- and I would imagine many CIOs and CISOs who find themselves in the position you describe (where they report to the CFO or other non-CEO exec) are nodding their heads in frustration and agreement with your points about salary, responsibility, and the burdens they face.

The best organizations in any vertical appear to have realized that security extends far beyond technologies and processes; rather, security is part of their culture and as the leader of all facets of security, the CISO is a key part of the organization's leadership team. S/he is integral to pretty much every aspect of that organization's future growth, measuring risk vs reward, and cannot be seen as lesser to the CFO or any other c-level exec.
SunitaT0
50%
50%
SunitaT0,
User Rank: Ninja
7/29/2014 | 4:47:37 PM
Re: More Than Words
@Alison: I second that. Security is indeed part of your organization?s culture and should always be valued first. Even the higher tier officials like CEO and CFO should always be informed about the working security of the company, no matter how little it is.
SunitaT0
100%
0%
SunitaT0,
User Rank: Ninja
7/29/2014 | 4:47:08 PM
Re : Don't Set The CISO Up To Fail
Cyber Security Most organizations rely on a third party company for their cyber security. Some companies invest little budget for their cyber security and do not keep track of it. Most of the upper level engineers working in a specific department are not knocked every time someone hits a dead end in cyber security. This enlarges the problem, since if senior engineers don?t know what kind of security they?ll be getting, they would continue their work on that specific software, compromising the database.
mhasib
50%
50%
mhasib,
User Rank: Author
7/30/2014 | 9:35:16 PM
Re: Re : Don't Set The CISO Up To Fail
@Sunita - good point. The CISO role is greatly misunderstood in healthcare. People and even some healthcare CIOs in organizations where most of the IT work is outsourced do not understand the role of the CISO. In one such organization where they were paying the CIO in the 700K range wanted to hire a CISO at the 140K range. Even the reporting relationships did not make sense. 
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Must Reads Oct. 21, 2014
InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A roundup of the top stories and trends on InformationWeek.com
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.