To say that the CISO role has come a long way in recent years is putting it mildly. With cybersecurity breaches and ransomware incidents on the rise, it has become “a mission critical position to help build out a comprehensive security program,” said Nick Giannas, Principal, WittKieffer.
As digital technologies continue to shape healthcare delivery, he believes the position will only “gain in prominence,” particularly given the “intensified cybersecurity landscape.”
According to HIPAA Journal, 2023 saw the highest number of reported data breaches with a whopping 725, and the most breached records of any previous year, with 133 million records exposed or inappropriately disclosed. What’s even more alarming is the fact that 26 of those breaches involved more than 1 million records; four of those exceeded 8 million records.
Given these numbers, it is becoming clear why the cybersecurity leadership role has gone from “almost back-office function” to one that is “very much front and center,” said Zachary Durst, Consultant, IT Practice. In a 2024 report — Healthcare CISOs: A Deep Dive into Talent & Leadership Trends — the executive search and leadership advisory firm surveyed more than 50 individuals in an effort to provide “a comprehensive portrait of today’s healthcare CISOs and their roles.”
Today’s CISO
The best place to start, they said during a recent interview, is by identifying the three distinct phenotypes of CISOs in terms of background:
- Hybrids (around 55 percent): Information security professionals who gained experience in other sectors such as technology, financial services, and IT consulting, and transitioned into healthcare.
- Recent healthcare “transplants” (around 30 percent): Leaders who transitioned directly from another industry, mostly technology.
- Healthcare natives (around 15 percent): Those who joined healthcare very early in their careers and cultivated their expertise within IT departments of healthcare organizations.
The fact that just a small portion are healthcare natives should come as no surprise, said Durst, particularly as healthcare has lagged behind other industries in the “depth of expertise” required to safeguard information. “There’s a high demand and a low supply level,” which has necessitated looking to other “highly regulated” industries such as finance.
Said Giannas, “that’s one thing that really stands out. Health systems continue to recruit for this role.”
So do other industries. As a result of this competitive market, turnover is becoming rampant, he noted, adding that 42 percent of CISOs were appointed to their current roles within the last three years. More than half had previously held C-level positions, which suggests that executives and boards recognize the elevated importance information security posed to their organizations and responded by hiring ‘experienced chiefs,’ the report stated.
Internal development
Although the approach makes sense in the immediate term as it can help fortify security practices, it may cause harm in the long-term if organizations aren’t focused on developing internal talent and building a bench of internal successors. “Long-term institutional knowledge is crucial for an information security leader, as it enables them to make informed decisions aligned with the organization’s unique context, culture, and technology landscape,” the report stated. “This deep understanding facilitates the development and implementation of effective security strategies and fosters strong relationships with key stakeholders. Leadership should prioritize developing individuals who combine institutional knowledge with a willingness to adapt, be agile, and evolve to address the dynamic nature of information security.”
While there’s often a great deal of focus on attracting new cybersecurity talent, what can’t get lost in the shuffle is the need to “create development opportunities for current team members,” noted Giannas. “That’s really important.” It can mean anything from establishing internship programs with local colleges to reaching out to infrastructure or applications departments to identify individuals with an affinity for security. “You have to be willing to get creative.”
Remote opportunities
Leaders also must be willing to consider remote work models — especially if they want access to top candidates, said Giannas. “If you look at the data, an overwhelming majority want a remote or hybrid arrangement.” In fact, it’s often the first question they get from potential candidates.
“In short, everyone seems to want remote,” said Durst. For leaders, it’s “a constant balance of what the market wants and what health systems have traditionally done,” and it won’t be solved overnight. “It’s a constant push and pull.”
Another focus of the research was reporting structure. Although most respondents (70 percent) report to the CIO, it’s becoming more common for lines to be drawn to operations, compliance, legal, or even the CEO. “It might change, but that remains to be seen.”
“Soft skills”
What is certainly changing, according to Giannas, is the skillset needed to thrive in the CISO role. In addition to security and technology expertise, recruiters also seek individuals with “soft skills,” primarily the ability to communicate risk and security in business terms. “Having that acumen is critically important,” he said.
Durst concurred, noting that in the current environment, many CISOs spend as much time in front of the board as CIOs, and have an even wider audience of stakeholders. “The ability to translate a broad set of risks to such a diverse population is so important,” he said. “It’s driven in part by the board’s recognition that getting hit is a matter of when, not if.”
And as digital transformation continues to drive decision-making, that expertise will only become more valuable. “There’s so much opportunity to make a positive impact,” said Giannas. However, having more access points means higher security risks. “A bad actor only needs to get in once.” Therefore, “your program needs to continue to not just evolve and grow, but also advance. That’s the reality.”
Share Your Thoughts
You must be logged in to post a comment.