It was four years ago when Omar Khawaja, the CISO at Pittsburgh-based Highmark Health, realized he needed to change the culture of his information security team. Employees were continuously questioning the long-term vision of the organization, and many, as a result, would leave Highmark within the first year after being hired.
“[There was a time] when about 42 percent of my team left in the first year,” Khawaja candidly admits in a recent interview with Healthcare Innovation. “So, we spent nine months figuring out what the strategic vision for the organization would be, bringing in change management experts to help us understand why we needed to change, and what the future state would look like. It was a robust transformational process and we spent the subsequent three years executing on that transformation,” he says.
At the onset of this change management progression, Khawaja quickly accepted a few fundamental aspects that would be necessary for success: first, that the future state would be one in which security is frictionless for the users who consume technology; second, that a holistic, “zero-trust” model that required strict identity verification would be adopted; and third, that Highmark would instill a realization-focused and risk-based culture rather than an installation-focused culture.
After looking at various risk frameworks and methodologies in the context of cybersecurity, Khawaja and his team landed on Factor Analysis of Information Risk (FAIR), a framework for cybersecurity and operational risk. The FAIR Institute provides information risk, cybersecurity and business executives with the standards and best practices to help organizations measure, manage and report on information risk from the business perspective, according to its website.
Khawaja eventually made it a requirement that every director and manager within Highmark’s security program had to take the FAIR certification so that everyone spoke a common language, which Khawaja believed was necessary in order to bring the disparate parts of information security into one cohesive culture.
Khawaja acknowledges that it’s rare to see healthcare organizations fully embrace a framework such as FAIR for cybersecurity, and one big reason for that, he believes, is due to the traditional pessimistic clichés that have long existed in this sector.
“[For instance], we like to say ‘compliance is not security,’ but that is not true. We also like to say ‘it’s a matter of when, not if [a breach occurs],’ but that is a fatalistic approach. You would never hear doctors go into appointments with patients and tell them that that it’s a matter of when, not if, you will die. They have much more discipline than we do,” he points out. Another common cliché, he offers, is that “You cannot measure ROI on security, but again, that’s a pessimistic viewpoint, and in reality, there is significant value in trying to quantify cyber risk. So, maybe these clichés were true 10 or 15 years ago, but they are increasingly less true now. And it takes time for people to be willing to stand up to those truisms,” he contends.
Nonetheless, Khawaja says he’d be surprised if more than 10 percent of U.S. hospitals are looking at frameworks such as FAIR with a real level of seriousness and have actually adopted it. But at the same time, he says he would be shocked if that in five years, that number isn’t closer to 40 to 50 percent.
Another core problem, as Khawaja sees it—and this is a common challenge for many healthcare cybersecurity professionals—is that executive decision makers of patient care organizations are still not investing enough resources into information security. That said, Khawaja has a unique perspective on how to improve in this area; he believes that the security team can evolve in how they express their needs to the organization’s business leaders.
“When I talk to my peers, for the ones who understand the business and are able to make that case [for increased cybersecurity resources] and tie it back to patient care—which is the ultimate business outcome that hospitals exist to deliver—larger budgets will become available. When we don’t do as good a job explaining things in business terms, that is when it doesn’t work,” he says.
Khawaja adds that it’s unfortunately more typical for a security leader to go to business leaders and talk about all the technology needs they have, but when it is expressed in that way, what the C-suite leaders hear is that this security person is complaining. “But the business doesn’t exist to make this person happy; it exists to deliver services to the patient. When security teams make the [pitch] only about security, those budgets aren’t as available,” he says.
Getting more specific, Khawaja gives an example of a security leader telling someone on the business side that the organization’s IT systems need to be updated right away, and if they aren’t, the security department will not be happy. “It’s a natural tendency for people to go to others and tell them something [needs to be done] to serve me or to serve the team. But what you should really say is that this needs to be done to serve yourself, the business, and the customer. I tell my team to not make it about security, but about the business.”
He continues, “Oftentimes in the world of security, we tend to be ‘techies,” and we don’t spend the time to understand the impact of security, understand what we are actually defending, why we are defending it, and what happens when we don’t do a good job. Those are the important conversations as opposed as only focusing on the how.”
To that end, having a deep understanding of how the business works is something that Khawaja believes is of utmost importance, and thus has put an increased emphasis on getting his team to do the same. For instance, much of his security department has taken to shadowing clinical leaders, such as chief nursing officers across the Highmark enterprise. “By doing that, you are understanding the business needs better, and ultimately getting closer to the customer. It is our job to learn the language of the business—not the other way around,” Khawaja says.
Beyond that, he believes that CISOs themselves should spend more time in general trying to better understand people. He estimates that the average CISO spends up to 90 percent of his or her time on technology, when in reality it should be closer to 10 or 20 percent. This was a lesson learned by Khawaja when he first became CISO, as he was spending approximately 40 percent of his time with vendors to understand how their technology works. “But I have now gotten rid of almost all that. I might have two or three vendor meetings in a given month,” he says. “Understanding how people work—and not just how cybersecurity works—will ultimately help me drive a stronger security program.”
