[BreachExchange] What organizations need to hear from their CISOs

[Audrey McNeil]

http://www.information-management.com/news/what-organizations-need-to-hear-
from-their-cisos

After nearly eight years as chief information security officer at Temple
Health University Health System, Mitch Parker last September joined Indiana
University Health. There, he told executives what he had told his team at
Temple—cyber threats are not an information technology department problem
but a security problem.

CISOs who are new to an organization need to stress the challenges that
cyber threats represent and the adequacy, or lack thereof, of current
security procedures, Parker said Sunday during a presentation at HIMSS17.

That starts with educating other executives about breaches—why they occur
in the first place, the importance of discussing the technology behind
breaches, but most importantly, the processes and failures that cause
breaches.

CISOs should talk about the cyber environment using non-biased sources from
firms such as Gartner, Ponemon and health insurers to report to colleagues
on trends and emerging threats. And they need to insist that the
organization join cyber threat sharing initiatives across their region and
the industry.

Information security must be tied to two enterprise levels—information
systems and the organization strategy, Parker stressed. “Metrics need to
focus on augmenting and supporting the overall strategy,” he adds.

Parker suggested adopting the Lean methodology for improving security
performance, as the program is all about process improvements and asking
why less than optimal processes continue to exist. And employees
responsible for information security, regardless of where in the
organization, should be told that they need to understand Lean.

Further, Lean should be used to design and maintain systems covering
business customers, enterprise architecture, legal contracting, compliance,
supply chain and enterprise risk scoring, making sure that various teams
are on the same page with security.

This is grunt work, Parker warned: “You can’t buy your way into this.”

If an organization decides to purchase cyber insurance, it must understand
the need to complete a comprehensive risk assessment that includes pointed
questions to determine the strength of the security program. Not only are
insurers looking for that assessment, but so also is the HHS Office for
Civil Rights, which enforces the HIPAA privacy, security and breach
notification rules.

Good information security, Parker said, has its hooks in clinical risk
management, insurance, emergency preparedness, privacy, corporate
compliance, supply chain, revenue cycle, information management and Joint
Commission requirements, among others.

To be successful with this laundry list, an organization must embrace
change management in an overall enterprise model, Parker advised. “If one
player says, ‘I do my own change management,’ it won’t work. Either there’s
one change management program or there’s none.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170223/2cd4917e/attachment.html>