As the healthcare environment has become more dynamic — whether driven by growth or an increased focus on innovation — risk management has become more complex. What was once considered the purview of the IT security department now must be a shared responsibility across the organization, according to Drex Deford.
“Everyone has to be in that mode of risk officer,” he said during a recent panel discussion. And for CISOs, the core objective is being able to identify risk “and figure out how to continue to mold and modify your program to be able to account for the changing world we live in.”
It’s certainly a departure from the traditional job description of the CISO — but one that is needed, noted DeFord, who discussed the topic along with CISOs Ron Mehring (Texas Health Resources) and Sanjeev Sah (Centura Health). Increasingly, the role has become more about cultivating relationships and “building a diverse stakeholder audience within your organization.”
During the webinar, the panelists discussed the keys to creating a robust risk management architecture that balances growth and innovation with security. Although multiple components are involved, there are three basic elements in achieving that goal: culture, communication, and courage.
The reality is that most of the risk identification isn’t being done by CISOs — or at least, it shouldn’t be. Rather, leaders need to create a culture that empowers individuals to raise their hand if they encounter a potential problem and not fear repercussions for speaking out, noted DeFord, a longtime proponent of the Toyota Production System. “Asking for help with identifying a risk should be viewed as a strength, and not a weakness.”
Once that philosophy has become embedded into the organization’s DNA, stakeholders from different departments can be recruited as “deputies,” said Mehring. “The more you can extend responsibilities outward, and the closer we move the validation of security requirements into those areas, the more effective the program becomes as a whole.”
Creating that type of culture requires trust, and the best way to establish that, according to Sah, is through transparency. At Centura, his team has a process through which they highlight risks to the board of trustees (as well as several committees), and explain how they’re working to mitigate them. Through frequent communications, they’ve become “trusted advisors” on whom the organization can rely to “represent risk in a way that considers a wider perspective than just cybersecurity,” he added.
Taking the approach of education, as opposed to the scare tactics that security leaders have utilized in the past, is a step in the right direction, said DeFord. Using fear, he says, “has been done a lot, and it has only moved the needle so far.” On the other hand, educating people about the dangers of underinvesting — and using numbers to back it up — can be far more effective. In fact, Crowdstrike has leveraged data from cybersecurity breaches to provide “legitimate numbers on what a particular risk might cost if we don’t deal with it, or just partially deal with it.” By eliminating the fear factor and focusing on facts, they’re able to show the business value of risk assessments, DeFord said.
It can also be applied to evaluate new technologies from a security standpoint and determine how they will interact with the environment based on information that’s been gathered, noted Mehring. His team built a front-end survey of the system to help predict results; and although it certainly isn’t perfect, it can show how particular challenges (such as password complexity rules) can be managed.
What’s critical in all of these scenarios, noted DeFord, is that leaders are willing and able to communicate with people in a way that resonates with them. “It’s our job as executives to speak with our partners in a way that lets them understand why we have the requirements we do, and why we’re asking them for certain things,” he said. Doing so also enables those individuals to communicate their concerns to leadership, which is critical. “If you can’t figure that out, you’re going to miss each other. And you’re going to introduce risk into the organization that you did not anticipate.”
Effective communication throughout an organization can also result in improved decision-making, said DeFord. He believes that having security and risk teams closely aligned with business, clinical, and research leaders can help anticipate issues before they arise. “If you’re embedded in what they’re doing, you can guide them toward technology solutions that help facilitate the processes they’ve built,” while providing a higher level of security. By making sure they’re on the same channels as stakeholders, security leaders are “far more likely to intercept things early on instead of being the office of no, which nobody wants to be.”
The final piece is courage, which is becoming a bigger requirement as organizations face new hurdles on the path to digitization. One of those hurdles is the increased pressure to roll out solutions quickly, despite the risks involved. To that end, Mehring advised establishing service-level targets — and including an exemption process that dictates when it can be bypassed and by whom. “The program itself needs to have a level of adaptation,” he said. “It should have just a general level of tier of service and then an exception process for emergencies.”
Where the courage piece comes in is being willing to step back and reflect on whether you’re doing the right thing, Mehring added. “And if you’re not, don’t hesitate to say, ‘I think we’re on the wrong trajectory.’ It’s okay to admit that you might need to change direction, and explain why.”
It’s also an opportunity for CISOs to make sure they’re surrounded by the strongest team possible, he said; not just those who are most qualified from a security standpoint, but also those who are willing to shoulder some of the burden. “Building those relationships is so important. It’s not just a CISO problem.”
DeFord shared his sentiments, adding that CISOs — or any leader, for that matter — should never feel cemented to a decision, particularly given the current landscape. “The world changes around you. Technology changes,” he said. Sometimes that means acknowledging that the best decision made at one time doesn’t always remain the optimal course of action. “That kind of courage is incredibly important. It’s one of the things we see as a core tenant for a lot of the most successful folks in our business.”
To view the archive of this webinar — Adaptive Risk Management: Balancing Organizational Growth & Innovation with Security (Sponsored by CrowdStrike) — please click here.