Many chief information security officers in healthcare are promoted into the roles from more technical positions working on specific implementation projects. One of the most challenging aspects of that transition is shifting from IT project work to more strategic and communications efforts.
Mike Wood, who was promoted last year to director of information security at Integris Health, an integrated health system based in Oklahoma City, has been getting comfortable in that new role and building relationships. “Transitioning from being a technical manager to a role like this, there is a need to shift your focus from technical day-to-day work to strategic work and aligning with business needs,” he said in a recent interview.
In January 2015 Wood took advantage of an invitation from the Cyber Risk Services arm of Deloitte to take part in a one-day “CISO Transition Lab” that allows newly appointed or incumbent CISOs to step out of their daily work to take a look at their function and identify some priorities.
Raj Mehta, a partner in Deloitte Cyber Risk Services, said participating in the CISO Transition Lab can be valuable because with the increasing attention on data breaches and targeted attacks comes more visibility for the CISO position. The CISO needs to step up and look at things from a business issue and risk perspective and figure out how to educate executives, he said. “The CISO role is not a technical role anymore,” Mehta stressed.
One goal of the Transition Lab is to help CISOs improve communications with other executives. By identifying what they spend their time on now, Deloitte assesses strengths and weaknesses and suggests changes CISOs could make in the next 180 days to be more effective in that role. If they are spending 80 percent of their time on tech details, maybe they don’t have the right support staff or maybe they are not looking at the forest but looking at all the individual trees, Mehta said.
Communication is key, Mehta added. “A lot of times we find a communications gap. They tend to talk bits and bytes, instead of how something might impact patient care and delivery of services. We try to help them think broadly and be more of an executive level presence.”
Wood said he reports to the chief technology officer at Integris. I asked Mehta whether there was an optimal place for the CISO on the organizational chart. He said that if you talk to security professionals, many will say that if they report to the CIO they will not be able to make an impact. “I think it depends on the organization,” he said. “I have seen it work both ways and fail both ways. Wherever you sit on the organizational chart, you have to have visibility and the ear of executives at the right level in order to have meaningful conversations about risk points and ways to address them. If you have the right skill set and support structure and the ability to create visibility, you can be very effective.”
Deloitte has identified these common challenges shared by new CISOs (across industries, not just in healthcare):
• Lack of resources and effective team structure
• Ineffective communications/reporting among stakeholders and throughout the organization
• Inadequate governance including overall strategy and processes
• Lack of support or trust from executive leadership and stakeholders
• Insufficient funding
Wood said that Integris has had a strong focus on information security for the last 10 years, so it may not share some concerns other healthcare organizations are dealing with as far as a maturity level. Nevertheless, he said, funding is always a concern. “You want to make sure you are spending in the right place,” he said. Staffing also is a big issue for him right now. “With all these breaches in the news, it drives up the demand for information security professionals and they are becoming more and more scarce,” he said.
One of the ideas identified in the Transition Lab was establishing a governance structure. Since then, a governance committee for security has been established at Integris with members from across different parts of the organization to help align security practices with the business and operations.
Wood has noticed that the board and CEO are paying more attention. “I have had the opportunity to talk with the CEO, and the CEO came to talk to the members of the security group, one on one, about what their concerns are,” he said. We are getting a different level of attention.”