The chief information security officer has come a long way. A decade ago, it was all about HIPAA and data privacy; now, everything is centered around resiliency.
“As we push toward digital, there are more catastrophic failures that can happen if we’re not vigilant,” said Erik Decker, CISO, Intermountain Healthcare, in a recent webinar. “The game is different. Our business won’t operate if clinical systems aren’t up and running, and our patients won’t be cared for.”
Clinical processes and workflows require a level of uptime the likes of which healthcare has never experienced. As a result, resiliency has become a key focus. “Our job is to make sure the business can operate in a digital capacity, and make sure there’s confidence in that ability,” he noted.
Like so many other facets of IT and security leadership, accomplishing that comes down to a simple concept: culture.
During the discussion, Decker and co-panelists Julian Mihai (CISO, Penn Medicine, University of Pennsylvania Health System) and Shankar Somasundaram (Founder & CEO, Asimily) shared best practices for cultivating a robust cybersecurity culture; discussed their approaches in dealing with the inevitable hurdles; and reflected on the evolving role of the CISO.
Beliefs and behaviors
“Cybersecurity is not just technology and it’s not just processes,” Decker added. “There’s a huge people element to this.”
Mihai agreed, adding that creating a healthy culture means being tuned in to the beliefs and behaviors of those who utilize the system. Once leaders have a better sense of what makes people tick, they’re more equipped to educate them on their roles and responsibilities and convey the importance of adhering to cybersecurity practices.
The ultimate goal is to create an environment in which employees are empowered to approach the security team with any questions or concerns, rather than waiting to be contacted. It’s similar to the ‘if you see something, say something’ message utilized in public transportation and other industries, according to Decker. “That’s what we want as a cyber-aware organization. We want our employees to engage with us when they things go awry.”
For Mihan, it’s the ultimate validation that he and his team have done their jobs effectively. “If folks are keeping an eye out for suspicious activity and it makes its way to us, that tells me folks are engaged.”
“The click of a button”
The best way to build this trust, he said, is to make it as simple as possible to report a potential problem. One method that has proven to be both simple and effective is the phishing button, which enables employees to quickly forward an email to the cyber team if something doesn’t seem quite right. Enabling this, said Decker, is hugely important. “It may not even be phishing. It could be reconnaissance. It could be an individual testing email accounts as they’re getting ready to launch a social engineering attack.” Once the cybersecurity team has the email, they’re able to assess the risk and take action if needed.
Unfortunately, it’s not always that seamless, according to Somasundaram. In some organizations, the reporting process is so cumbersome and time-consuming that it can result in non-compliance. At one health system, employees who come across suspicious communications are required to fill out 2-3 pages of documents and submit it to a department, in addition to entering it online. “That’s a big friction point,” he noted. While this process can help create a strong documentation trail, it can also turn people away from doing the right thing. “If you make it so hard that nobody wants to use it, you won’t get anything.”
On the other hand, if the right policies are in place and it takes “just the click of a button” to sound the alarm, compliance tends to be much higher. “I see a big difference across organizations in the way the message is communicated, and the way people respond,” Somasundaram said.
The organizations that receive a positive response are those that embody a customer mindset, noted Mihai. “When you’re working in shared services, sometimes that connection isn’t that clear. As leaders, you have to constantly reiterate that to your staff and put the mechanisms in place to train that.”
Removing the friction
Another important step leaders can take, according to Decker, is identifying points of friction. “When you lean in and find processes that don’t provide value and remove them, you gain credibility with the business,” he said. “And when the time comes that you need to spend that political capital to add in a friction point, you’ve already set the right tone with your peers. They know you have the right intentions.”
A common source of friction is the access approval process, which often involves multiple layers — and as a result, leads to a lot of frustration. Although Decker understands the need to account for every possible scenario, he urged attendees to consider the operational impact on those who are forced to wait for approvals.
In other words, exercise common sense. Although secondary approvals are required in certain circumstances, leaders must ensure “it’s all being done in a rational, reasonable way, and you’re not just throwing more folks in the midst of the approval chain just to cover literally any edge case that could possibly happen.”
There’s a balance that must be struck, and doing so requires time, patience, and a lot of communication, according to Somasundaram. “The organizations that have a healthy culture encourage lively discussions to understand the root cause of the problem,” which goes a long way toward being able to address it effectively.
Another sign of a healthy cybersecurity culture, he said, is the ability to not just implement solutions, but to also “measure how well they’re working on each level — how is the process working? How is the feedback loop working? How is the response time working?” Beyond that, it’s constantly tweaking based on that feedback to ensure it doesn’t interfere with workflow, or even more importantly, patient care.
“It’s a continuous journey,” noted Somasundaram. “You need to have those discussions, adapt, and evolve — even for processes that are working well, because that could change over time. Culture isn’t something you do well and keep it that way. You evolve it as the organization evolves.”
To view the archive of this webinar — Keys to Creating a Robust Enterprise-Wide Cybersecurity Culture (Sponsored by Asimily) — please click here.