Don't Set The CISO Up To Fail - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // CIO Insights & Innovation
09:06 AM
Mansur Hasib
Mansur Hasib
Connect Directly

Don't Set The CISO Up To Fail

More healthcare organizations are hiring CISOs -- a good thing. But bad management structure, insufficient resources, and poor understanding of risks often doom these newly appointed security executives.

My 2013 national survey of healthcare organizations discovered that about half the CIOs in healthcare report to CFOs and other executives, and not the CEO. This structure is dangerous for both the organization and the CIO for several reasons.

First, the CIO's pay is reduced -- at least a full grade level lower -- than it should be. Second, the CIO cannot participate in organizational strategy meetings because of rank.

Most important, the CFO and other executives run IT and cyber security strategy, instead of the CIO. IT department pay, including that of the chief information security officer (CISO), is lowered, making it challenging for the healthcare organization to acquire and retain top talent. Finally, the CIO becomes an ideal whipping post for any failures, but other executives are well protected, even though they make the final decisions.

[Why did Oregon's Obamacare site flop? Read Oracle Documents: Politics Sabotaged Oregon Healthcare Website.]

With the fall of Target's CEO, things appear to be improving. At every conference I attended recently I learned that CEOs and boards are now very engaged in cyber security discussions. Many are scrambling to hire their first CISOs. Because healthcare organizations' security lags behind retailers, it's even more critical for the nation's hospitals, clinics, and practices to recognize the value CIOs and CISOs deliver.

My survey also found many healthcare organizations pay insufficient attention to cyber security: In fact, 21% do not plan to have a CISO in the near future.

(Source: Impact of Security Culture on Security Compliance in Healthcare in the USA by Mansur Hasib, 2013)

(Source: Impact of Security Culture on Security Compliance in Healthcare in the USA by Mansur Hasib, 2013)

The new breed of healthcare CIOs will have to include a strong cyber security strategy in their IT strategy, which in turn will drive the strategy for the entire organization because IT is the life blood of most organizations today. Some of these CIOs could come from the ranks of today's highly qualified and strategic CISOs -- people who understand business risks, can tailor strategy to mission, have continually learned (by earning appropriate advanced degrees and certifications), and have demonstrated cyber security leadership.

Although I am glad CEOs and boards are waking up and realizing the importance of cyber security strategy, a few observations concern me. Some CEOs and boards are engaging their IT and cyber security staff to "make sure this does not happen to us" -- without really understanding what cyber security or cyber security leadership is. Some departments are getting their cyber security budget doubled -- without even asking. Yet these organizations remain focused on a compliance culture that is expensive, tactical, and regressive. In addition, despite serious shortcomings, some organizations are even embracing the new NIST Cybersecurity Framework as a badge of honor and adopting it as an auditing standard.

However, any organization that spends money on cyber security as a separate component of the IT budget is approaching it wrong. Cyber security must be baked into the entire IT strategy.

During my 30 years of managing IT and my 12 years as a CIO in healthcare, biotechnology, and education, I never spent on cyber security as a separate component. I always focused my IT strategy on the organization's mission. I always implemented systems and technology with the goals of maximizing confidentiality, integrity, and availability, using a balanced mix of technology, policy, and people while perennially improving over time.

I used a risk balancing (of both positive and negative risks) approach to prioritize spending, frequently using a multi-year transparent vision. I empowered and trained all the people in my organization, ensuring they could use technology to make themselves more productive and innovative. I implemented a governance framework that encouraged teamwork, fun, transparency, continual learning, and a virtuous culture of innovation and safety. This is what modern cyber security is and what a cyber security culture can achieve.

Pursuing compliance is like planting annual flowers. They look great for a short while. Then they die and get more expensive each year. Compliance in technology and policy does not govern behavior of people; culture does. We should invest in a cyber security culture and gain the benefit of perennial flowers. They improve in quality, abundance, and size each year and you can even divide them and spread them around your garden. It is time for cyber security leadership.

Here's a step-by-step plan to mesh IT goals with business and customer objectives and, critically, measure your initiatives to ensure that the business is successful. Get the How To Tie Tech Innovation To Business Strategy report today (registration required).

Dr. Mansur Hasib is the only cybersecurity professional in the world with 12 years' experience as CIO; a Doctor of Science (DSc) in Cybersecurity; CISSP (cybersecurity); PMP (project management), and CPHIMS (healthcare) certifications, who has written two books on the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
7/30/2014 | 9:35:16 PM
Re: Re : Don't Set The CISO Up To Fail
@Sunita - good point. The CISO role is greatly misunderstood in healthcare. People and even some healthcare CIOs in organizations where most of the IT work is outsourced do not understand the role of the CISO. In one such organization where they were paying the CIO in the 700K range wanted to hire a CISO at the 140K range. Even the reporting relationships did not make sense. 
User Rank: Author
7/8/2014 | 9:20:12 AM
More Than Words
In one way, it's encouraging to learn that more healthcare organizations recognize they must hire a c-level executive to oversee security, realizing security responsibility is more than the CIO can take on. On the other hand, your points about management structure resonate -- and I would imagine many CIOs and CISOs who find themselves in the position you describe (where they report to the CFO or other non-CEO exec) are nodding their heads in frustration and agreement with your points about salary, responsibility, and the burdens they face.

The best organizations in any vertical appear to have realized that security extends far beyond technologies and processes; rather, security is part of their culture and as the leader of all facets of security, the CISO is a key part of the organization's leadership team. S/he is integral to pretty much every aspect of that organization's future growth, measuring risk vs reward, and cannot be seen as lesser to the CFO or any other c-level exec.
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Why IT Leaders Should Make Cloud Training a Top Priority
John Edwards, Technology Journalist & Author,  4/14/2021
10 Things Your Artificial Intelligence Initiative Needs to Succeed
Lisa Morgan, Freelance Writer,  4/20/2021
Lessons I've Learned From My Career in Technology
Guest Commentary, Guest Commentary,  5/4/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
Planning Your Digital Transformation Roadmap
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Flash Poll