It’s not exactly common for a healthcare IT executive to hold the dual role of CIO and CISO, particularly at large organization. But when extenuating circumstances dictate that it must be done, you can either run for the hills, or see it as an opportunity. Steven Goriah chose the latter; and in fact, has found a way to leverage his past experience as a CIO to drive security initiatives forward at WMCHealth, a 10-hospital system based in upstate New York. Because he understands “the politics of IT,” Goriah has helped leadership across the organization to “see the value in having a robust security program — and the risks of not having one.”
Recently, Goriah spoke with healthsystemCIO about his strategic objectives at WMCHealth, including the long-term strategy to create a single source of truth across the organization, and the constant effort it is to secure data. He also discusses his approach to change management, why strong relationships with other leaders is critical, and the need to be willing to push the envelope.
- Creating a culture of security – “It’s everyone’s responsibility.”
- Tenets of change management
- “You have to know your culture & your tolerance for risk.”
- Avoiding “broad stroke” management
- WMC’s cybersecurity journey
- “We’re not fully protected – and we never will be.”
- Partnering with start-ups
- Work-life balance – “It’s priceless.”
We’re trying to create a culture of security; and that means ensuring security is an organization-wide initiative, not just an IT initiative. And so we need engagement across the board.
We can’t just manage with a broad stroke and have one strategy for engaging folks. Clinicians tend to be more focused on patient care and patient safety, while financial people are more concerned with the bottom line, and so you have to tailor your approach.
You have to be able to adapt. The bad actors are constantly out there, trying to break in, and so you have to be on the cutting edge. You need to be agile in your strategy, and in some cases, you need to be reactive.
At the end of the day, we’re all here to enhance patient care, no matter what title we hold.
Gamble: When you look back on WMC Health’s HITRUST journey, what were some of the key challenges?
Goriah: I believe the key challenge was getting the operational staff engaged. As we had to rewrite and redesign our policies, procedures, and processes, we found that having the operations side of business — from human resources to compliance to legal to HIM — understand the new processes, and their new roles, was a big lift. It was also important to make sure leaders across the organization, especially those in HR, compliance, and legal, were engaged.
We have to be able to work hand-in-hand, and understand that security is everyone’s responsibility. We’re trying to create a culture of security; and that means ensuring security is an organization-wide initiative, not just an IT initiative. And so we need engagement across the board.
Gamble: That’s a challenge for so many leaders. What advice can you offer to those who are trying to crack that code?
Goriah: With any program, you have to understand the culture, and you have to know the organization’s appetite for risk. There’s no one-size-fits-all. We had great backing from our leadership, and our support and operational staffs were fully engaged.
My advice is, as you decide to implement any type of framework — and there are hundreds out there — make sure your organization’s culture will be able to adapt to the changes required. Nothing can be implemented unless it fits into the culture; as people often say, culture eats strategy for breakfast. It’s so true. As CIO, you have to implement a strategy that’s right for your organization based on the culture. If that’s not the case, you’re going to fail.
Gamble: I’m sure it can be tempting when you have a vision in your head and want to drive toward that, whether or not people are ready. I would think it requires a lot of self-awareness to know where the organization really is.
Goriah: Exactly. It really is a journey; it’s not going to happen on day one. You have to know your culture, know the tolerance for risk, and know that what you’re trying to implement is doable and feasible. Sometimes you have to push the envelope a bit, but at the end of the day, you have to do what’s right for the organization. You have to find the right approach to make sure it’s protected and secured.
Gamble: Very true. You talked before about having to give a little push — I’m sure it has to be done in a thoughtful way.
Goriah: Absolutely. You have to be persuasive, but you have to do it in a creative way, and understand who you’re dealing with. My approach to leadership is to engage everyone individually, based on who they are as a person. It’s not one strategy fits all. You might have certain views because of how you were raised and what you were exposed to, and I might be completely different; what resonates with you might not resonate at all with me.
And so, as leaders, we have to manage people based on their personality and appeal to their sensibility when it comes to being on the cutting edge of technology and understanding security. We can’t just manage with a broad stroke and have one strategy for engaging folks. Clinicians tend to be more focused on patient care and patient safety, while financial people are more concerned with the bottom line, and so you have to tailor your approach.
Gamble: Right. I imagine that’s where strong relationships with other leaders comes into play, especially people like [Chief Healthcare Information Officer] Marc Chasin.
Goriah: Absolutely. Dr. Chasin has been a great supporter of ours and a great champion of the programs we’re leading. As a physician, he brings a level of gravitas to the role, but he’s also very smart and persuasive, which has helped us get engagement from clinicians and senior leaders that otherwise wouldn’t have been possible.
Gamble: Looking at where the organization stands in terms of security, are you happy with the progress that has been made?
Goriah: When I look at where we were and where we are now, I’m extremely happy, but there’s still more to be done. With security, you can’t have a 5-year or even a 3-year strategy; it’s more like a 6-month strategy, because the posture and the threats are changing dramatically.
We’re not fully protected — and we never will be, but I feel comfortable that we’re able to manage the risk we have. That’s what security really boils down to; understanding which risks are most important and what the organization is willing to accept, and managing toward that goal.
No organization is fully protected; no organization can say it has a completely solid program. Even if you have one today, you won’t have it tomorrow. A solid cybersecurity strategy is about identifying high risk areas and determining how to best spend the limited resources available so you can get the best bang for your buck. It’s being as efficient as possible, creating and maintaining great partnerships, and be willing to work with new technologies.
For example, I’m not a big fan of security information and event management (SIEM), but there are some great AI tools coming out that are able to do amazing things. And so you have to have that cutting-edge thinking and be willing to partner with up-and-coming technology companies. You’re not going to fulfill your needs by relying on the same old technologies. Of course, it costs money to invest in startups, but if you have a tool that leverages artificial intelligence and advanced analytics for log management, it’s worth looking at. There are ways to be smart with the funds you have, while also protecting the organization.
Gamble: It seems like there’s definitely been a shift in thinking with cybersecurity, especially when you talk about having 6-month strategies.
Goriah: In the new world of cybersecurity, you have to be able to adapt. The bad actors are constantly out there, trying to break in, and so you have to be on the cutting edge. You need to be agile in your strategy, and in some cases, you need to be reactive to the changing environment.
Gamble: Looking at your career, you’ve been with Westchester Medical Center for about four and half years, having previously held the CIO role with CarePoint Health. What attracted you to this particular role?
Goriah: It’s a great organization. As a father of young children, work-life balance is a big priority. My career is important, of course, but I’m a father first. Everything I do represents my family; when I look in the mirror, I want my kids to be proud of me.
At Westchester, my commute is seven minutes. That’s priceless. I count my blessings to be part of such a great organization with great people, and also have a healthy work-life balance where I can be there for my family. My boys are in their formative years; being able to spend time with them isn’t something you can put a price on. And so I feel very lucky to be here.
Gamble: I couldn’t agree more. And I’m sure it’s not easy to maintain that balance, especially with so much going on, both in your organization and across the industry.
Goriah: It’s challenging, but it’s also invigorating. I’m not someone who likes to do the same thing two days in a row, and so I find it exciting to face new challenges daily and to be involved in so many different areas. One day I’ll be working on the IT strategy, the next day it’s cybersecurity, and the next I’m in a clinical meeting or an interface meeting. It’s invigorating to be in this type of environment.
There’s so much to be done, but it’s exciting. We have a chance to change the organization by building systems that enable our clinicians to be able to provide the best patient care. Because at the end of the day, we’re all here to enhance patient care, no matter what title we hold.
Gamble: Right. There’s a big different between not being able to get away from the organization, and being there because the work is so important to you. The trick is to make sure it’s manageable.
Goriah: It also depends on your approach. You have to manage yourself, and know how to structure your daily work so that you’re able to manage multiple tasks simultaneously. By nature, I tend to be calm; I don’t get frazzled easily. I’m able to listen to people, weigh the options, and make decisions. I’m not someone who thinks he knows everything. I learn something new every day; it could be from the janitor, a security profession, or a physician. I’m open to engaging with all types of people, because I know it makes me better as a person and a leader. When you’re able to engage with others and learn from them, you’re able to make the best decisions for the organization.
Gamble: Well said. I think that about covers it. I want to thank you so much for your time, and I’d definitely like to catch up again soon.
Goriah: That sounds great. Thank you, Kate.