CISO Teresa Tonthat: Building Cybersecurity Buy-in Starts with Breaking Down Walls

These days, CISOs have to be a lot of things to a lot of people. In addition to being authorities on risk management and cyber-defense, they have to be collaborators, educators, and strategic planners.

The one thing they don’t have to be? “The one who always says ‘no,’” said Teresa Tonthat, VP of IT and CISO at Texas Children’s Hospital. Rather than acting as to barriers to innovation, security leaders can now play a critical part in accelerating it — if they belong to organizations that have the vision and determination to make it happen.

Texas Children’s is one of those organizations, according to Tonthat. Her team’s goal is to balance security with clinical and business operations to make sure nothing they do negatively affects patient care. “It should be seamless,” she said during a recent interview. And in fact, security measures should “help enhance the user experience,” rather than hindering it.

One way to facilitate that? By having innovation and security — two groups that have traditionally been in different corners — work closely together. Texas Children’s has taken strides in that direction by having Tonthat and her peers in other areas (including innovation) report directly to Myra Davis, Chief Information and Innovation Officer.

“It was a great decision because every innovation comes through this hub,” said Tonthat. Before any new ideas or technologies are introduced, her team is consulted and given the opportunity to provide feedback. “If it’s going to be in our production environment, it needs to go through a thorough security review,” including risk assessments performed in real-time. “That partnership has helped build a different perspective on the value add of cybersecurity.”

Breaking down silos

But it didn’t happen overnight; that partnership is the result of a deliberate effort to weave security into the fabric of the organization. Rather than relying only on meetings to facilitate communications among leaders from different departments, Texas Children’s made the decision break up cybersecurity teams and embed those individuals into other areas of the organization.

Tonthat, who started with the organization in January 2018, has played a critical role in this redesign. A year and a half after being hired as Director of Information Security, she was promoted to Assistant VP of IT, a role that expanded her scope to include biomedical engineering, customer service, and digital services, along with cybersecurity. It also meant going from 30 reports to more than 230, and provided “exposure and visibility into the system level,” she noted.

Less than two years later, Tonthat was promoted again, this time to VP of IT and CISO — a position that enables her to “sit on steering committees and help make decisions outside of IT, and manage multiple levels of leadership, including directors, assistant directors and frontline managers. And although she didn’t expect to advance so quickly, she’s grateful that Davis was able to see her potential. “I may not have anticipated that I was ready, but she saw something in me,” Tonthat said. “She had high hopes for me to be able to embed security throughout our infrastructure, digital, and medical device teams, and ingrain that mentality within all facets of information technology.”

Building the foundation

The best way to do that is by focusing on the organization’s core mission to ensure the digital solutions being rolled out to patients, their families, and the workforce “are always available and secure,” noted Tonthat, who likened ARS (availability, reliability, and security) to the foundation of a house. “If we can achieve that 99.9 percent if the time, then we can introduce additional solutions and enhancements that can bring our experiences to the next level.”

On the other hand, if organizations add on to the house — with digital capabilities, for example — before making sure the foundation is stable, those who are inhabiting it won’t be able to reap the benefits. It’s an analogy her team often uses when speaking with leaders from finance and clinical departments to convey the importance of adhering to security measures.

That way, “when we ask for millions of dollars to refresh our dataset or bring in new capabilities from a cybersecurity standpoint, they know why,” Tonthat said. “They may not like the dollar signs, but they’re able to view these as investments” — rather than seeing cybersecurity as a cost center.

Continuing the conversation

The key in being able to establish buy-in and trust is through ongoing communications, as well as education, added Tonthat. By holding weekly meetings with project management offices, her team has created an opportunity to discuss synergies and identify potential vulnerabilities. Beyond that, they’ve established a platform for individuals to voice their concerns — and feel heard, she added. “The conversation has definitely changed.”

Education must also be continuous, noted Tonthat, whose team sends out a weekly newsletter and conducts monthly phishing simulations for its entire workforce of more than 19,000. The primary area of focus through this outreach is human behavior, which is the root of 90 percent of cyberattacks, according to a Kapersky Lab report. “Most of the time, the foothold in is through a user clicking on a bad link or attachment,” Tonthat that. “We do a lot of training and awareness on how our nurses, physicians, folks in HR — any department — can strengthen their vigilance and prevent that.”

The exercises paid off, with the click rate going from 18 percent (more than 3,500 people) to a low of 0.4 percent in Q4 of 2020, which equates to about 70 people). Although the organization has seen some fluctuation in the rate, it hasn’t gone above 2 percent, noted Tonthat, thanks to the culture of vigilance that has been spread throughout the organization. “We couldn’t have done this without every single leader’s help extending our voice.”

Her team has also employed innovative methods like gameshows (“Security Feud”) and escape rooms to “make it more fun” to increase cybersecurity awareness. And now that they’ve gained momentum and support throughout the organization, there’s no stopping them.

“We’re never going to drop it. There’s always work to be done,” said Tonthat. “It’s continuous awareness and connecting the dots for everyone to understand why it’s important. But we’ve come a long way.”