Cyber attacks on hospitals are on the rise – healthcare security officials urgently need to keep their organizations and the people they serve safe. But the many decisions and actions required to ensure security are complex and go well beyond the role of the CISO.
CISOs need to know how to navigate cultural issues and share best practices for building consensus in their organizations – at all levels – including effective communication strategies to gain buy-in from top management.
Jacki Monson, Vice President, Chief Technology Officer, Chief Information Security Officer and Chief Privacy Officer at Sutter Health, will speak on the same topic at the upcoming HIMSS Cybersecurity Forum, a virtual event to be held from December 6 to 7.
Its session is titled “Achieving buy-in, changing the culture around security and connecting to business needs”. His co-presenters at the session will be Dan Bowden, vice president and CISO at Sentara Healthcare, and Saif Abed, director of cybersecurity consulting services at Abed Graham Group.
IT health news interviewed Jacki to get a taste of her session.
Q. What are some of the cultural issues that hinder good cybersecurity?
A. There are currently a few cultural issues that organizations face that hinder good cybersecurity. One of the main issues many organizations are working on is the rise of the remote work culture.
In response to COVID-19, employees who used to walk into the office, open their computers, and securely access a secure network, suddenly tried something different. They ensured that their home Wi-Fi networks met security requirements and that their workspaces were physically secure, even though the space allowed for a separate location.
They also had to properly “walk” into their office and safely handle documents and other issues. On the other hand, organizations have also strived to make changes to their networks to allow employees to engage in secure and efficient remote working.
Organizations have balanced this while managing supply chain shortages on things like computer monitors, hard drives, and other necessary tools. Employees, who we all know are the front line of cyber defense, have also often faced challenges in their remote work environments. They helped their children to home school or worked from home alongside their partners.
These new demands and distractions have created unique security awareness challenges that can be difficult to communicate and resolve. For example, helping employees understand that corporate devices are meant for the business only when there is a shortage of home computers.
There’s also fatigue – mistakes are made when employees are tired – and COVID-19 and other events have made the past two years an exercise in overstimulation and extra work for many.
As remote workers take hold and organizations have adjusted their cybersecurity strategies accordingly, these cultural issues create fewer barriers to cybersecurity. However, they remain challenges and will continue for the foreseeable future.
In addition, we face very limited resources for our frontline workers. This means we must continue to find ways to help them while they support patients and families, while reducing organizational risk.
In addition to continuing phishing campaigns throughout the pandemic, we are also finding new ways to mitigate cyber risk, such as blocking access to third-party emails and unsecured digital vaults.
Q. How do CISOs and CIOs overcome these issues?
A. Overcoming cultural barriers to cybersecurity requires a multi-pronged attack.
First, we still need to align with the commonalities, essentially, surrounding patient safety and quality with cybersecurity. One thing to always consider: privacy and security by design. Security teams need to interact with the business from day one of projects and ensure that privacy and security considerations are taken into account at the start of a project rather than in the middle or end.
The approach avoids complicated processes or procedures added to a project at the end. Not only does this help an organization save money, it also allows privacy and security to be seamlessly integrated into an end product. If we can make privacy and security easy – and maybe even invisible to the end user – people are more likely to engage and comply.
Another way for CISOs and CIOs to overcome these issues is to find common understanding and areas of mutual interest. When cybersecurity is viewed as a team effort, more people are likely to step up and seek to be part of the solution.
Frame security conversations so the company knows you’re looking for a partnership. In other words, communicate that you want to help them be successful and prevent things like ransomware and maintain data privacy.
Help employees see that the safety controls and practices you ask them to follow at work can also benefit them in their family life. When CISOs and CIOs can focus on a common understanding and mutual benefit, their teams are less likely to experience a setback.
Q. What are some effective communication strategies for gaining buy-in on cybersecurity issues from senior management (non-security executives)?
A. When communicating cybersecurity issues to non-technical senior executives, it’s always helpful to focus on the “why” of any request. It also helps translate cybersecurity issues into the language of business risk. This approach helps senior management see how a strong cybersecurity strategy and program relates to the organization’s mission.
The importance of translating cybersecurity issues into the language of business risk helps to gain buy-in, as it places cybersecurity in a language understood by top management. Most senior executives may not understand firewalls or how to reverse engineer malware.
However, they understand that it is essential to ensure the safety of patients and the organization. To achieve this, we must mitigate the business risks that can create vulnerabilities.
Monson’s session, “Achieving Membership, Changing the Culture Around Security and Connecting to Business Needs,” will be broadcast virtually from 11:25 am to 11:55 am on December 6.