Succeeding as a chief information security officer (CISO) in healthcare requires both technical and leadership skills. The technical savvy often comes naturally, thanks to education and work experience in engineering or computer science, but the same can't always be said for the leadership acumen.
This experience matters. CISOs who "sell" security to their boards of directors better frame how their organizations invest in security technology and personnel. In turn, they lower the risk profile for their organizations as a whole, says Daniel Nutkis, CEO of the Health Information Trust Alliance (HITRUST). Individuals who do it right "become part of the risk assessment," he says.
[ Analysis: Will Healthcare Ever Take Security Seriously? ]
Management and leadership experience, however, comes at a premium. It resides primarily in large, sophisticated healthcare organizations where ascending to the position of CISO or chief information risk officer (CIRO) requires a level of skill development and maturation that those at smaller firms, for a variety of reasons, may not get.
To address this need, HITRUST and the Southern Methodist University Cox School of Business have created a certificate program in healthcare information security and technology risk management. The course takes place over four and a half days at the SMU campus and includes a final assessment. Applicants must be nominated by senior managers within their organization.
"Information security is going from b-o-r-e-d, a boring technical topic, to b-o-a-r-d, as in the board of directors," says Frederick R. Chang, a cybersecurity expert at SMU and faculty member for the program,
Healthcare CISOs Must Be Ready to Explain Themselves
Healthcare has faced what Nutkis calls "electronic threats" to its security for some time. By and large, CISOs understand this. The difference, as recent cases such as the Target breach and Russian hack illustrate, is that "the time is just compressed now."
Target's CIO and CEO both lost their jobs in the wake of the breach. That's getting the attention of executives and boards of directors who (rightfully) want to know how CISOs plans to protect them. Deciding what to spend on hardware, software, personnel and insurance is hard enough; articulating the rational basis for doing so can be even harder, Chang says – especially for CISOs more accustomed to explaining how a firewall works.
The management of information security – its economics, its place within larger business processes and its intersection with government policy – therefore weighs heavily on the curriculum of the certificate program. So, too, do project management and risk assessment.
Nutkis says HITRUST's regular surveys of CISOs and CIROs and their attitudes toward risk offer a prescient glimpse into the tenure of those professionals. Those who approach management and demonstrate a willingness to mitigate the risk associated with something end users want – for example, the ability to use iPads in an exam room– tend to stay in their jobs longer than those who say, "No" and, when pressed, add, "Because I said so."
Leadership Brings CISO in 'Lock-Step' With Management
That's why the leadership skills necessary for this type of communication also play a part in the course curriculum.
Today's steady stream of incident reports can easily lead to "security fatigue," Chang says, and the reactionary policies that result can, in turn, lead to an "adversarial relationship" between end users and a CISO. To stay a step ahead of threats, he adds, security professionals need to ask more of employees: "You need to work across the organization to implement policies and procedures that are good for the organization."
Getting this right means taking the time to explain why these policies and procedures have been enacted, Nutkis says. This requires going beyond the technical part of being a CISO or CIRO and into the sales and general management role. Healthcare CISOs have a bit of an advantage, he adds, as physicians who practice evidence-based medicine actively seek explanations for why things happen.
It's a small step, Nutkis says, but it can be a difficult one for most CISOs and CIROs who, like the CIOs of 20 years ago, "ended up" in the role having intended to pursue a different career path. However, the security professional who can get buy-in on a complex password policy is one who, with proper training and maturation, can partner with other departments, educate the board about managing and mitigating risk, and, ultimately, "make the CISO lock-step with senior management."