Over the years, the role of information security teams has evolved from primarily a user access management and security operations function, to a holistic information risk management function.

This has led to significant changes in the portfolio of activities that fall under the Chief Information Security Officer’s umbrella.  However, it’s still common for business executives to be uninformed of all the information risks affecting their enterprise and how these risks may impede business objectives.

The increasing tide of threats, data breaches and regulatory requirements is rightfully closing this communication gap, which has led to changes in executive expectations for information security teams.  Unfortunately, these expectations have resulted in a misperception about a security team’s core role and responsibility.  The misperception is that information security is primarily about technology.  

This technology myth isn’t new or wrong in every situation. For the foreseeable future, technology will remain essential for security teams to understand from a capabilities, management and limitation perspective. But the reality is that the expectations of a security team should be the orchestration of security across people, processes and technologies to protect information in support of the organization’s business objectives.

While the tides are changing, much work remains to be done, as recent surveys indicate that only 38% of organizations are prioritizing security investments based on risk and impact to business.

Your People

It’s imperative that the people tasked with building and managing information security programs, whether they are employees or external contractors, understand the fundamentals and have experience in doing so. Historically, information security was viewed strictly as an IT problem.

But now, healthcare executives are beginning to realize that information security goes beyond the borders of the IT department.  Therefore, it’s important to provide your security teams with the ongoing training and education they need to stay on top of emerging threats and learn about existing and rapidly evolving methods for mitigating them.

Enhancing the skills and knowledge of security teams improves your organization’s security posture through better execution and decision-making.  Formally defining and communicating roles, responsibilities, policies and procedures provides everyone with the knowledge needed to efficiently complete their daily responsibilities.

Information security is inherently interdisciplinary and interdepartmental. To maintain a secure environment, a variety of skill sets and functions are needed, including system administration and networking but also legal, compliance, human resources and physical security.

All this complexity requires a great deal of coordination to be effective. The roles and responsibilities of these individuals and departments should be clearly delineated to avoid confusion and security lapses.  When roles and responsibilities are clearly understood, information security teams as well as supporting teams avoid gaps in activities, will not duplicate work already performed elsewhere and  can refocus their efforts on those things that truly advance the organization's goals.

Since information security is in competition with other business objectives, it is essential for executives to define who is involved in security-related decision making so that these individuals are empowered to make business-based risk management decisions, and that occasional unpopular positions can be made with a clearly documented mandate.  

Your Processes

An effective information security program is one that recognizes information security is a continuing and ongoing business process requiring the support of departments, functions and individuals throughout the organization. It’s is the discipline of designing, implementing and maturing security practices and requirements to protect information, critical business processes and information assets.  So, the cliché that security is a process and not a product still applies.

But information security is more than just an activity of creating requirements to ensure the confidentiality, integrity and availability of information.  Developing and maintaining comprehensive and relevant policies and procedures is a key focus area as well. The need to continuously review and modify policies and procedures has gained even more significance due to the ever changing EHR and regulatory environments.

Information security also involves activities such as being able to identify and track IT assets in the environment, having a robust application development methodology, and ensuring that system, application and technology parameters are configured to expected security standards.

To effectively manage and promote information security, a formal approach should be in place for the lifecycle processes of information security activities. It is necessary for healthcare organizations to identify those business processes and activities that have an impact on information security, and create a framework to identify and assign roles at various stages of the process. By applying the lifecycle approach, organizations can establish who is responsible for doing what, and who will review and confirm that the processes and activities have been appropriately managed or completed.

Your technology

Technologies are used to protect information and ensure its confidentiality, integrity and availability. But according to a recent survey by the Ponemon Institute on “Risk & Innovation in Cybersecurity Investments,”  90% of respondents said their organization invested in a technology that was ultimately discontinued or scrapped before or soon after deployment. In other words, these technology investments become “shelfware” which means they sit on the shelf instead of being properly implemented or utilized.

There are a variety of reasons to explain this shelfware phenomenon but they predominantly boil down to people and process issues.  Some organizations lack the resources to properly staff and support their technologies, a problem that many are able to solve through the use of Managed Security Services. Sometimes, a lack of business alignment and supporting processes prevent full deployment of technologies. In other cases, the IT department is too busy or did not have enough time to implement the technology properly, or did not understand the technology well enough.


Business executives should ensure that security team competencies and actions address people and processes and recognize that only a portion of their time should be spent on technology issues and solutions. By moving beyond their traditional risk-averse mentality, organizations can come to grips with what their security teams really need to focus on: the business priorities. The security team's job is to understand information risks and to communicate that risk in a way that helps the business make informed decisions about whether that risk is acceptable.

More and more, security teams will be expected to be not just technology experts but business leaders as well. Those who embrace this business-oriented expectation will thrive in the future. Business and communication skills will be the greatest differentiators between those who succeed in the field and those who do not. Taking an approach to information risk that aligns with business goals is now equally important as a good foundation in technology.

Information is an asset which adds value to any healthcare organization, and consequently needs to be protected from a wide range of threats to minimize negative impacts and maximize return on investments and business opportunities. Effective information security program management is not achievable through technology alone.  It can only be achieved when a holistic approach is adopted. This methodology requires the integration of people, process and technology dimensions of information security while adopting a risk-balanced, business-based approach.

(This blog appears courtesy of our sister publication, Health Data Management.)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access