The Healthcare CISO: An Essential Cyber Guardian

Aug. 27, 2018
As cybersecurity incidents continue to increase and evolve, the CISO has become a pivotal role. What are the challenges healthcare leaders face in identifying and recruiting CISO candidates?

Business-driven information security executives at the C-suite level remain in high demand. This is particularly true in the healthcare industry as cybersecurity incidents increase and evolve. The notion of not if, but when an attack will occur remains cemented in the minds of healthcare leadership teams and boards. Market trends and forces, such as the shift to a ubiquitous digital environment and consolidation through mergers and acquisitions are fueling the increase in cybersecurity risk.

Three quarters of respondents to the most recent HIMSS cybersecurity survey said that their organizations had suffered a major security incident in the previous 12 months. Meanwhile, SecurityScorecard ranks healthcare 15th out of 18 industries in terms of cybersecurity preparedness.

With an undeniable and precarious cyber-threat landscape, the value of having a Chief Information Security Officer (CISO) continues to rise. With cyber-attacks threatening to disrupt care delivery and patient safety, increase breach costs, and damage brand reputation, the CISO role is a leadership imperative. Not only does a CISO drive an organization’s information security program but it is also critical in establishing a culture of cyber-safety and risk awareness that permeates the entire organization.

Recruiting Challenges

Provider organizations have made considerable progress in hiring CISOs over the past few years; however, some challenges still exist:

Salaries are rising with demand, pricing some organizations out of the market for top-notch executives; according to a recent Information Systems Security Association (ISSA) study – "The Life and Times of Cybersecurity Professionals" – the number one factor most likely to cause a CISO to leave one organization for another is being offered a higher compensation package. It is safe to say that healthcare CISOs as a separate category would have similar statistics. 

Organizational budgets and commitments are still not where they should be, given the outsized risk that cybersecurity issues involve in healthcare; the same ISSA study suggests that another factor likely to cause a CISO to leave is that the budget for cybersecurity is not commensurate with the organization's size and industry.

Many healthcare organizations are still young in terms of their cybersecurity maturity. Responsibilities and reporting structures for CISOs vary from one organization to the next, making it difficult to recruit individuals with aligning skill sets and expectations.

Regarding the latter point, healthcare provider-based CISOs are primarily reporting up through IT and/or Corporate Compliance. Some CISOs are leading the Security Oversight function while others are responsible for all areas including security operations. Many organizations have elevated the CISO position to the Vice President level and are more open to recruiting candidates outside the industry, which has helped mitigate the high-demand, low-supply candidate pool dilemma.

What's Needed in Today's Healthcare CISO Candidates

As a result, identifying the ideal CISO is a necessity for healthcare organizations. The CISO must be an executive who can effectively lead the strategy and operations for the information security program of an enterprise.

The ideal background for a CISO in healthcare includes executive and board level presence with excellent communication and relationship-building skills. The ISSA study referenced above suggests that leadership skills (52 percent), communications skills (43 percent) and a strong relationship with business executives (35 percent) were the three most important qualities of a successful CISO. Other abilities that are essential for healthcare CISOs include:

  • Knowledge and experience in information security, risk management, and regulatory compliance;
  • Progressive experience in information security management, including planning and policy development and training/awareness;
  • Strong business acumen—the ability to enable the business while communicating risk;
  • Proven success as a strategic leader who is up-to-date on current and future trends including the utilization of security tools associated with artificial intelligence, machine learning and analytics;
  • Active engagement at the local and national level, sharing and learning intelligence and best practices in cybersecurity.

For many healthcare organizations, it is a matter of not if, but when they will begin ramping up their cybersecurity programs, technologies, and readiness. “The divide between the ‘real world’ and cyberspace is disappearing,” says Cleveland Clinic CISO Vugar Zeynalov. “Healthcare organizations are looking for cybersecurity professionals not to shield them from cyberspace, but to help them safely execute digital strategies.” The CISO has become a pivotal role from an operational and strategic standpoint.

Nicholas Giannas is a consultant in Witt/Kieffer’s Information Technology practice. Healthcare Informatics’ “Industry Voices” articles provide a platform for industry experts to weigh in on the latest healthcare IT trends and best practices. All Industry Voice submissions (submit here) are subject to editorial approval and cannot include explicit mentions of vendor products. More information on our submission guidelines can be found here.