The Role of the CIO in Promoting Cyber Security
Because of the importance of cyber security and the increasing risk to healthcare organizations, most companies now have someone responsible for leading and overseeing cyber security. In many organizations, information security leaders (i.e., CISO, IT Security Director) report to the CIO making it easier for the CIO to influence cyber security decisions directly. Even in cases where this is not true, the CIO should remain heavily involved in promoting and supporting cyber security initiatives.
Depending on which source you read, slightly more than half of the information security individuals report to the CIO. When this is the case, the CIO has many things he or she can do to help promote cyber security and support their security person(s) or team. Regardless of the reporting structure in an organization, many of these will hold true even if the CIO does not have direct responsibility or oversight of cyber security.
While the increase in cyber attacks on healthcare organizations and hospitals continue to rise, the amount we invest in cyber security has declined from previous years. Hospitals and healthcare organizations spend less on cyber security, as a percentage of revenue, when compared with the retail industry and finance sector. These reductions in budgets are occurring at a time when healthcare breaches now surpass both of these industries in both size and scale of cyber attacks.
On average, healthcare organizations spend only 5% of their budget on cyber security.
While there are many reasons for this, every dollar must be used effectively and efficiently to combat the ongoing threats healthcare faces today.
An organization must ensure funds are set aside to support the various cyber security initiatives that are needed. Without funding, it will be challenging to identify and address any cyber security risks successfully. There must be a continued financial investment in cyber security which will allow for the proper staff, tools, and third-party assistance (if needed) to deal with threat analysis, remediation, and incident response.
There are a lot of internal and external pressures and competing priorities that make an IT budget difficult to put together each year. A lot of thought and planning needs to go into the budget planning process to make sure it aligns with the needs of the business while taking into account various IT infrastructure needs. It is the CIO’s responsibility, in partnership with their team, to ensure that the proper funding for cyber security is included in the budget (where and when appropriate).
Leaders must guard against not investing in cyber security and then rushing to do so once an adverse event has occurred. If this happens, it is too late and typically the incident response, impact to the business, unwanted press, and negative impact on the company brand costs more than the initial investments would have.
In the case of cyber security, the best defense is a good offense, and that requires CIO’s and their organizations to fund this area appropriately.
Bridging the gap between security and functionality
Any good cyber security leader will be focused on securing their organization and will likely default to that position rather than focus on functionality and usability. They take seriously their responsibility to ensure the safety and security of the important data we are all entrusted to protect. Because of the CISO’s solid focus on security, it will at times be necessary for a CIO to get involved in various discussions and help weigh the security needs against the usability and functionality of a solution.
It is the CIO’s job to ensure that security solutions are not so demanding that usability and functionality suffer beyond an acceptable level. This is especially true when caring for the patients at the bedside or in a clinic where the number of “clicks” and time spent at the computer matters.
The CIO needs to be able to explain the need for the various security controls while seeking to understand the impact of any security decisions to an organization. I have found that at times, the most secure solution can also be the most difficult to use requiring some compromise or modification to balance both security and functionality.
The safety and security of our important data must be paramount in our decision-making process.
However, our security solutions cannot be so onerous that it makes it impossible for employees to access and use the systems that they need. Many times, it will be the CIO that helps bridge this gap in an organization.
Awareness and communication
Another essential role of the CIO is helping to bring awareness to the cyber security threats the organization faces and explain what is being done to address them. This can happen in a variety of ways and may include one-on-one conversations, addressing various committees, speaking in meetings, and updating the other senior leaders in an organization.
The message also needs to be shared that cyber security is everyone’s responsibility. It is not just the IT department that is responsible for securing their organization’s important data and assets - it is a shared responsibility that everyone has. Arming employees with knowledge about the dangers of clicking on unknown links, responding to a phishing message, or giving out your username/password is a message that needs to be shared often. IT can and should invest in tools and technologies to help defend against cyber threats. Education is still the best way to protect and secure an organization.
CIO’s should look for opportunities to explain the threats the organization faces and discuss what every employee can do to help.
It is also vital that the organization’s board receives at least an annual update regarding the cyber security threats and what is being done to assess and address them. Since cyber security is an issue nearly every organization faces, board members are becoming more involved in this area and are looking for updates on some periodic basis. Regardless of the reporting structure of an organization, the CIO should participate in the board discussions regarding cyber security.
Encourage IT Security to be at the table when developing solutions
When building or buying a solution that addresses a business or clinical need, organizations often focus on ROI, business needs, cost, time to deploy, etc. While these are all good things to consider, cyber security does not usually make the list. It is the CIO’s responsibility to ensure that the solutions that are being explored have been vetted by the appropriate IT security person(s) or group.
Every CIO should encourage and promote the need for the IT security person(s)/team to be involved in the new solution being discussed. It is important that cyber security is part of the discussions - up front - so that any questions are addressed before a decision to build or buy has been made. I have seen several times where a decision was made, without consulting cyber security, only to have the solution delayed, completely revamped or even canceled due to security concerns that were not thought of.
It is in every organization’s best interest to involve the cyber security team early in the process when seeking to choose and implement a solution.
Getting IT security involved early in the process will help ensure any questions are addressed up front and make for a much better implementation and rollout.
Roadmap and plan
The CIO is responsible for developing and maintaining an IT roadmap. Whether embedded in the overall IT roadmap or kept separate, the CIO should work closely with the CISO to develop and support the cyber security roadmap. This roadmap should be something that can be shared with individuals at any level of the organization and easily understood. Assuming the board is receiving some periodic update, this would be a great document to review and track with them as well.
IT security cannot merely be reactionary but must mature to a place where plans are discussed and made about where the priorities lie. Like the IT plan, this must be flexible enough to adapt to any new threats or changes that occur from year-to-year. It is also a great document to use when planning out budgets for both current and future years.
I am a fan of clear and concise one or two-page visual IT roadmaps. They should be easily understood and something that is discussed and shared often. If they are so complicated that people do not understand them, they have little-to-no value and cease to become a true roadmap for others to gauge where IT is going.
To quote Yogi Berra, “If you don’t know where you are going, you might end up someplace else.” Every IT security program needs a clear and concise roadmap, and the CIO should help communicate the message whenever he or she can.