Jothi Dugar has heard for years that as a woman, she would face an uphill climb in becoming a C-suite information technology executive. That in and of itself is true; current research has estimated that males hold about three of every four jobs in the technology world, and in cybersecurity specifically, the gender difference among the workforce is often even more stark.
But as Dugar—the chief information security officer (CISO) at the National Institutes of Health’s (NIH) Center for Information Technology—sees it, being able to think critically, solve problems logically, work collaboratively with others, and be detail-oriented, are hardly gender-specific attributes. In fact, these are the skills she started learning at a young age when she opted for educational paths around biomedical science and engineering.
A career built on hard work and always looking for the next challenge, Dugar is one of few leading women across the globe in healthcare’s cybersecurity sector. She spoke with Healthcare Innovation about her unique path to becoming an NIH CISO, some of the institute’s key initiatives in this area, her thoughts on the overall state of healthcare cybersecurity, and more. Below are excerpts of that discussion.
Tell me a bit about your path to becoming a top cybersecurity executive at the NIH? How did it all begin?
When most kids were spending summers in pools and babysitting, my parents made me get biomedical-type internships, so I thought at some point I would go into that field, but it wasn’t too popular in the 1990s. Then my parents pushed me toward engineering, and that’s the degree I got in college. That gave me the ability to think critically, fast and problem-solve in a logical way. After college, a lot of the engineering work I did [led me] into project management. So, the structure of engineering taught me how to think critically, while project management taught me how to be more organized and work collaboratively with others.
One of my previous bosses advised me to try working in cybersecurity, and this was when cybersecurity was starting to “get out” in 2005. Back then, about 90 percent of the cybersecurity workforce was male. So I wasn’t thrilled about that, but the topic itself was fascinating to me and every day was different. Little by little, I built my way up and then became CISO for NIH’s Clinical Center, a [position] I held for the last eight years, and then just recently I got a promotion to be CISO for NIH’s Center for Information Technology (CIT).
When looking across hospitals and health systems in the U.S., how would you illustrate the state of cybersecurity in healthcare today?
Healthcare is definitely far behind any other space. In the past few years, the importance of [security] has been raised, but we’re not where we should be. I get offers from hospitals to become their first CISO, and I will say, “Great, what were you doing before this?” It’s not like your business started yesterday. That’s scary; what would I be walking into here if I am your first CISO?
There is also an underestimation of the funding that’s required for security in a hospital organization. Sometimes a hospital’s security budget might be $300,000, but that can’t even get me training for security. So, you have to be creative in whatever budget you are working in and you don’t necessarily need a $20 million budget for cybersecurity. Often, [health systems] think that hiring a CISO is good enough, but they aren’t backing that up with proper funding and resources.
What are your thoughts on identify and access management and behavioral monitoring approaches?
I have taken more of an integrated, holistic approach. For example, as a person, for health conscious reasons, you won’t introduce bacteria in your body and then try to fight it off through medicine, antibiotics or natural health. You are going to try to keep that bacteria out of your body to begin with. But in technology, it’s a backwards approach—you are introducing all of these criteria into your environment, while trying to figure out how to identify good versus bad and then getting rid of the bad. So why not be proactive and try to minimize what’s getting on your network to begin with?
What are some of the top cybersecurity priorities at NIH’s Center for Information Technology today?
We are a service provider for all of NIH. My vision is for NIH CIT to become a center for excellence, but also for the NIH as a whole, which includes 27 institutes and centers, and the federal government more broadly, to become [centers for excellence].
How important is it to have diversity in the healthcare cybersecurity workforce?
It’s better now; for the last 10 years, the number of females in cybersecurity was about 11 to 13 percent. I’ve heard it’s jumped to 20 percent today, but that is still questionable because it depends on what you classify as cybersecurity since it’s such a broad field. It’s probably around 14 to 20 percent, and yes, that’s a jump, but it’s still not ideal.
I have been passionate about going down to the grade school level and trying to empower women there, because after that, it’s often too late. Teachers or parents are not encouraging girls to stay in STEM [science, technology, engineering, and mathematics], take risks, and make mistakes. And by fourth grade, about 94 percent end up dropping off. There is a misconception that cybersecurity is purely technical, and while you do need to understand technology at least at a basic level, there is a lot of psychology too, such as speaking different languages that you know will resonate. Hospital chief financial officers, for example, don’t want to hear technical jargon, and it’s a CISO’s job to be a change agent for the C-board. I believe that women are great at that.
