What organizations need to hear from their CISOs
After nearly eight years as chief information security officer at Temple Health University Health System, Mitch Parker last September joined Indiana University Health. There, he told executives what he had told his team at Temple—cyber threats are not an information technology department problem but a security problem.
CISOs who are new to an organization need to stress the challenges that cyber threats represent and the adequacy, or lack thereof, of current security procedures, Parker said Sunday during a presentation at HIMSS17.
That starts with educating other executives about breaches—why they occur in the first place, the importance of discussing the technology behind breaches, but most importantly, the processes and failures that cause breaches.
CISOs should talk about the cyber environment using non-biased sources from firms such as Gartner, Ponemon and health insurers to report to colleagues on trends and emerging threats. And they need to insist that the organization join cyber threat sharing initiatives across their region and the industry.
Information security must be tied to two enterprise levels—information systems and the organization strategy, Parker stressed. “Metrics need to focus on augmenting and supporting the overall strategy,” he adds.
Parker suggested adopting the Lean methodology for improving security performance, as the program is all about process improvements and asking why less than optimal processes continue to exist. And employees responsible for information security, regardless of where in the organization, should be told that they need to understand Lean.
Further, Lean should be used to design and maintain systems covering business customers, enterprise architecture, legal contracting, compliance, supply chain and enterprise risk scoring, making sure that various teams are on the same page with security.
This is grunt work, Parker warned: “You can’t buy your way into this.”
If an organization decides to purchase cyber insurance, it must understand the need to complete a comprehensive risk assessment that includes pointed questions to determine the strength of the security program. Not only are insurers looking for that assessment, but so also is the HHS Office for Civil Rights, which enforces the HIPAA privacy, security and breach notification rules.
Good information security, Parker said, has its hooks in clinical risk management, insurance, emergency preparedness, privacy, corporate compliance, supply chain, revenue cycle, information management and Joint Commission requirements, among others.
To be successful with this laundry list, an organization must embrace change management in an overall enterprise model, Parker advised. “If one player says, ‘I do my own change management,’ it won’t work. Either there’s one change management program or there’s none.”