3 traits of an ideal hospital CISO

Healthcare CISOs are tasked with establishing and maintaining a vision and mission to thoroughly protect the information systems and data of an entire organization. There is especially a growing need for CISOs in the healthcare industry, where data breaches are growing in number at the same time hospitals are collecting large volumes of sensitive information.

The importance of CISOs and security departments shouldn't be overlooked in the current cybersecurity landscape and increasing number of regulations, and a strong security department starts with an effective CISO.

Having the basic, foundational knowledge of IT, networks and apps are inherent requirements for this position, but what other skills does a CISO need to develop and retain?

Mac mcmillanMac McMillan, CEO of CynergisTek and current chair of the HIMSS Privacy and Security Task Force, and Heather Roszkowski, CISO of University of Vermont Medical Center in Burlington, discuss the necessary traits to be a CISO in today's healthcare environment. The two will present on building a security office and how to select the right CISO at HIMSS15.

First, effective CISOs need to be able to translate discussions regarding information security into a business perspective. Translating a security requirement into a business need helps hospital leadership draw a link between security actions and overall business operations. "Security is not something that gets talked about in a vacuum," Mr. McMillan says. "It's not something driven by some informational threat that's out there. These should be things that are understood to directly benefit the business."

Secondly, Mr. McMillan says CISOs need to be able to work comfortably in a risk management environment and separate themselves from a mindset in which they own the risk because the CISO doesn't, or shouldn't, own any of the risk.

"The CISO doesn't own any of the risk for the organization," Mr. McMillan says. "They're not the one that's responsible for making risk decisions for the business….The CISO is responsible for providing [executives] with the best information they're capable of providing so that [executive] understands what the risk is and can make the best decision they're capable of making with respect to the business."

Ms. Roszkowski says her hospital developed a committee that discusses questions of risk to mitigate the risk ownership issue. This committee, she says, is Roszkowski Heathercomprised of "the technical minds" that think through change solutions and determine a recommendation to present to the board. "We're really trying to give that information to the CIO minus any emotion," Ms. Roszkowski says. "Here's the facts. Here's where we stand. Here's the risk associated with doing it, here's the risk with not doing it and here's the recommendation from the council."

The third characteristic of the ideal CISO, according to Mr. McMillan, is the individual's ability to work collaboratively on a team. "Understanding that other skills like collaboration and collegiality and negotiation and psychology are very important in effecting what you want to try to accomplish in your program," Mr. McMillan says. Doing so can keep employees in tune to other staff members' goals and priorities and help CISOs develop or modify security programs to help them meet their goals.

Ms. Roszkowski says above all, her leadership skills in this regard have helped her excel in her position. "It's been the non-technical skills that I feel I've benefited from. Relating to their job and what the risk is to what they do everyday has been extremely beneficial in getting security advocates and champions for me," she says.

But a good CISO only goes as far as the executive leaders allow that department to thrive. IT, Mr. McMillan says, provides a service to the hospital. With that in mind, executive leadership should protect that service line like they would any other resource, like their general counsel and accounting department. As with most wide-scale strategies, the executive leadership really has to embody this vision and acknowledge that cybersecurity is a key priority.

"If we're going to even have a chance of meeting the threat that's out there today, security has to be an organizational priority and has to be a priority for the people who are running the hospital," Mr. McMillan says.

More articles on IT leadership:

CFOs hesitant to hand budget power to CIOs
The future of the healthcare CIO: Expanding roles, relationships and opportunities
10 reads for healthcare's executive women

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars