Because of the importance of cybersecurity and the increasing risks, most companies now have someone responsible for leading and overseeing cybersecurity. In many organizations, information security leaders (i.e., CISO, IT Security Director) report to the CIO, making it easier for him or her to directly influence cybersecurity decisions. Even when this isn’t the case, the CIO should remain heavily involved in promoting and supporting cybersecurity initiatives.
Depending on which source you read, slightly more than half of the information security individuals report to the CIO. When this is the case, the CIO has many things he or she can do to help promote cybersecurity and support their security person(s) or team. Regardless of the reporting structure, many of these will hold true even if the CIO does not have direct responsibility or oversight of cybersecurity.
While cyberattacks continue to rise, the amount we invest in cybersecurity has declined from previous years. Hospitals and healthcare organizations spend less on cybersecurity, as a percentage of revenue, when compared with the retail industry and finance sector. These reductions in budgets are occurring at a time when healthcare breaches now surpass both of these industries in size and scale.
On average, healthcare organizations spend only 5 percent of their budget on cybersecurity. While there are many reasons for this, every dollar must be used effectively and efficiently to combat these ongoing threats.
An organization must ensure funds are set aside to support cybersecurity initiatives. Without funding, it will be challenging to identify and address risks. There must be a continued financial investment in cybersecurity, which will allow for the proper staff, tools, and third-party assistance (if needed) to deal with threat analysis, remediation, and incident response.
There are a lot of internal and external pressures and competing priorities that make an IT budget difficult to put together each year. A lot of thought needs to go into the budget planning process to make sure it aligns with both business and IT infrastructure needs. It is the CIO’s responsibility, in partnership with their team, to ensure that proper funding is included in the budget (where and when appropriate).
Leaders must resist the urge to make a quick decision to invest in cybersecurity following an adverse event. When this happens, it is too late. Typically the incident response, impact to the business, unwanted press, and negative impact on the brand exceeds the costs of the initial spend.
In the case of cybersecurity, the best defense is a good offense, and that requires CIOs and their organizations to fund this area appropriately.
A good cybersecurity leader is focused on securing their organization and will likely default to that position rather than focus on functionality. They take very seriously the responsibility to secure the data we are all entrusted to protect. Because of the CISO’s solid focus on security, it will at times be necessary for a CIO to get involved in various discussions and help weigh the security needs against the usability of a solution, ensuring that it doesn’t suffer beyond an acceptable level. This is especially true when caring for the patients at the bedside or in a clinic where the number of “clicks” and time spent at the computer matters.
The CIO needs to be able to explain the need for the various security controls while seeking to understand the impact of any decisions. I have found that at times, the most secure solution can also be the most difficult to use, requiring some compromise or modification to balance both security and functionality.
The safety and security of our important data must be paramount in our decision-making process. That being said, security solutions cannot be so onerous that it becomes impossible for employees to access and use the systems they need. Many times, it will be the CIO that helps bridge this gap.
Awareness and Communication
Another essential role of the CIO is helping to bring awareness to the cybersecurity threats the organization faces, and explain what is being done to address them. This can happen by conducting one-on-one conversations, addressing various committees, speaking in meetings, and updating the other senior leaders.
The message also needs to be shared that cybersecurity is everyone’s responsibility. It is not just the IT department that is responsible for securing their organization’s important data and assets. Therefore, it’s critical to arm educate employees about the dangers of clicking on unknown links, responding to a phishing message, or giving out your username/password. IT can and should invest in tools and technologies to help defend against cyber threats, but education is still the best way to protect and secure an organization.
CIOs should look for opportunities to explain the threats the organization faces and discuss what every employee can do to help.
It is also vital that the board receives at least an annual update regarding the cybersecurity threats and what is being done to assess and address them, and that the CIO participates in all discussions regarding data safety.
IT Security at the Table
When building or buying a solution that addresses a business or clinical need, organizations often focus on ROI, business needs, cost, time to deploy, etc. While these are all good things to consider, cybersecurity does not usually make the list. It is the CIO’s responsibility to ensure all solutions that are being considered have been vetted by the appropriate IT security person(s) or group, and that any questions are addressed before a decision has been made. I have seen several times where failing to consult with the cybersecurity team results in a solution being delayed, completely revamped or even canceled due to concerns that weren’t properly weighed.
Getting IT security involved early in the selection and implementation process will help ensure any questions are addressed up front and make for a much better implementation and rollout.
A True Roadmap
The CIO is responsible for developing and maintaining an IT roadmap. Whether embedded in the overall IT roadmap or kept separate, the CIO should work closely with the CISO to develop and support the cybersecurity roadmap. This roadmap can be shared with individuals at any level of the organization and easily understood. Assuming the board is receiving some periodic update, this would be a great document to review and track with them as well.
IT security cannot merely be reactionary; it must mature to a place where plans are discussed and made with top priorities in mind. A plan must be flexible enough to adapt to any new threats or changes that occur from year to year.
I am a fan of clear and concise one or two-page visual IT roadmaps. They should be easily understood, and should be discussed and shared often. If they are so complicated that people do not understand them, they have little to no value, and cease to become a true IT roadmap.
To quote Yogi Berra, “If you don’t know where you are going, you might end up someplace else.” Every IT security program needs a clear and concise roadmap, and the CIO should help communicate the message whenever he or she can.
This piece was originally posted on CIO Reflections, a blog created by Michael Saad, VP and CIO at University of Tennessee Medical Center. HIs diverse career path also includes leadership roles with TrustPoint Solutions and Henry Ford Health System. To follow him on Twitter, click here.