In the urgent scramble to hire cyber security executives, some organizations appear to favor time spent within a business vertical such as healthcare -- often against the advice of competent counsel. They bypass stronger cyber security professionals who would need to learn the new business environment in favor of candidates who understand the industry but need to learn cyber security. Essentially these organizations try to turn healthcare executives into cyber security executives, a very risky idea indeed.
It will take an organization about a year to figure out it hired the wrong person. During that time more damage and more atrophy will occur. Even a wizard cannot fix years of neglect quickly, so hiring the right person the first time matters greatly.
Having transitioned into a variety of business environments during my career and having observed failed transitions of business executives such as financial, marketing, or human resources officers into IT and cyber security executives, I urgently felt the need to share my thoughts on this. During the recent round of health insurance exchange implementations we could have avoided many of the problems we saw if IT executives -- not healthcare executives -- ran the projects.
[Is a time-honored tradition making us sick? Read Doing Business Without Handshakes.]
First, it takes years and very specialized training to become an IT executive. It takes even more specialized training to become a competent cyber security executive. People cannot become competent cyber security professionals within a few months. However, a competent cyber security executive who spent a lot of time in one industry can adapt to another industry within a short period of time -- usually three to six months -- depending on the size and complexity of the organization. I have done this several times throughout my career.
The key is to hire people who are T-shaped. These individuals have strong domain knowledge in a couple of key areas (the stem of the T) but are interdisciplinary and circumspect in their critical thinking and can adapt and apply their skills across a broad range of industries and situations (the top of the T).
Organizations need to understand that cyber security is a vast field, and a cyber security executive must have a balanced approach to using technology, policy, and people. Although not the only measure, a good metric of cyber security executive skills is the CISSP certification -- Certified Information Systems Security Professional. This is not a technical certification, although many seem to think so. I have seen ads for much lower-level and even technical positions requiring a CISSP.
While preparing for and then taking the lengthy CISSP test back in 2009, I realized how CISSPs have to think. Every answer for most questions in the practice exams and the actual test was correct. Our coach warned us there was a 70% failure rate because most people who come from a very technical role tend to choose the best technical answer. Instead, the test assessed the subjective skill of selecting the optimal answer -- the one that required a leadership framework of thinking and the answer that was most circumspect. Business skills such as risk mitigation, gathering more information, assessing choices against the mission, communicating with people, and governance skills had a major role in helping us choose the best response.
Finding the best cyber security executive is far more important than choosing someone who has spent a lot of time in the industry. In the healthcare sector, I have observed many hospitals that rely heavily on vendors and contract workers and do not even have internal IT talent, much less IT executives such as a CIO or CISO. In these organizations even existing CIOs are much more into budgets and financial management than technology or cyber security strategy.
The only way to address this is to seek out true IT executives who are interested and excited about the organization's mission, someone who can be a key member of the team and a true partner for the CEO. Every industry has some industry-specific laws, rules, and regulations. Most often there are people within the organization who can help a cyber security executive transition by explaining the business and providing the industry-specific knowledge required to succeed. If an organization hires a business executive, since it has no executive cyber security talent to begin with, who is going to help the CSO transition into a cyber security professional? The experiment is doomed to fail from the start, and it could be a really expensive and embarrassing failure.
Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)