Don't Set The CISO Up To Fail

More healthcare organizations are hiring CISOs -- a good thing. But bad management structure, insufficient resources, and poor understanding of risks often doom these newly appointed security executives.

My 2013 national survey of healthcare organizations discovered that about half the CIOs in healthcare report to CFOs and other executives, and not the CEO. This structure is dangerous for both the organization and the CIO for several reasons.

First, the CIO's pay is reduced -- at least a full grade level lower -- than it should be. Second, the CIO cannot participate in organizational strategy meetings because of rank.

Most important, the CFO and other executives run IT and cyber security strategy, instead of the CIO. IT department pay, including that of the chief information security officer (CISO), is lowered, making it challenging for the healthcare organization to acquire and retain top talent. Finally, the CIO becomes an ideal whipping post for any failures, but other executives are well protected, even though they make the final decisions.

[Why did Oregon's Obamacare site flop? Read Oracle Documents: Politics Sabotaged Oregon Healthcare Website.]

With the fall of Target's CEO, things appear to be improving. At every conference I attended recently I learned that CEOs and boards are now very engaged in cyber security discussions. Many are scrambling to hire their first CISOs. Because healthcare organizations' security lags behind retailers, it's even more critical for the nation's hospitals, clinics, and practices to recognize the value CIOs and CISOs deliver.

My survey also found many healthcare organizations pay insufficient attention to cyber security: In fact, 21% do not plan to have a CISO in the near future.

The new breed of healthcare CIOs will have to include a strong cyber security strategy in their IT strategy, which in turn will drive the strategy for the entire organization because IT is the life blood of most organizations today. Some of these CIOs could come from the ranks of today's highly qualified and strategic CISOs -- people who understand business risks, can tailor strategy to mission, have continually learned (by earning appropriate advanced degrees and certifications), and have demonstrated cyber security leadership.

Although I am glad CEOs and boards are waking up and realizing the importance of cyber security strategy, a few observations concern me. Some CEOs and boards are engaging their IT and cyber security staff to "make sure this does not happen to us" -- without really understanding what cyber security or cyber security leadership is. Some departments are getting their cyber security budget doubled -- without even asking. Yet these organizations remain focused on a compliance culture that is expensive, tactical, and regressive. In addition, despite serious shortcomings, some organizations are even embracing the new NIST Cybersecurity Framework as a badge of honor and adopting it as an auditing standard.

However, any organization that spends money on cyber security as a separate component of the IT budget is approaching it wrong. Cyber security must be baked into the entire IT strategy.

During my 30 years of managing IT and my 12 years as a CIO in healthcare, biotechnology, and education, I never spent on cyber security as a separate component. I always focused my IT strategy on the organization's mission. I always implemented systems and technology with the goals of maximizing confidentiality, integrity, and availability, using a balanced mix of technology, policy, and people while perennially improving over time.

I used a risk balancing (of both positive and negative risks) approach to prioritize spending, frequently using a multi-year transparent vision. I empowered and trained all the people in my organization, ensuring they could use technology to make themselves more productive and innovative. I implemented a governance framework that encouraged teamwork, fun, transparency, continual learning, and a virtuous culture of innovation and safety. This is what modern cyber security is and what a cyber security culture can achieve.

Pursuing compliance is like planting annual flowers. They look great for a short while. Then they die and get more expensive each year. Compliance in technology and policy does not govern behavior of people; culture does. We should invest in a cyber security culture and gain the benefit of perennial flowers. They improve in quality, abundance, and size each year and you can even divide them and spread them around your garden. It is time for cyber security leadership.

Here's a step-by-step plan to mesh IT goals with business and customer objectives and, critically, measure your initiatives to ensure that the business is successful. Get the How To Tie Tech Innovation To Business Strategy report today (registration required).

Editor's Choice
Cynthia Harvey, Freelance Journalist, InformationWeek
John Edwards, Technology Journalist & Author
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing