[BreachExchange] Top 10 Cybersecurity Best Practices for Healthcare CISOs

[Audrey McNeil]

https://healthitsecurity.com/news/top-10-cybersecurity-
best-practices-for-healthcare-cisos

Faced with an onslaught of threats these days, healthcare chief information
security officers (CISOs) need to take a deep breath and focus on
cybersecurity best practices.

The number and frequency of these threats—ransomware, cryptocurrency
mining, data-stealing malware, advanced persistent threats, malicious
insiders, and careless employees, to name a few—can be overwhelming. It can
seem like healthcare CISOs and their teams are always one step behind the
well-funded bad guys.

Sentara Healthcare CISO Dan Bowden has learned some hard lessons about
improving cybersecurity during his career as a healthcare CISO.

In an exclusive interview, Bowden spoke with HealthITSecurity.com about the
top ten lessons he has learned and best practices he has adopted over his
long IT career:

1. Seek first to understand, and then to be understood – Stephen Covey

There is a danger that when you get to an executive level in your career,
you assume you know what needs to be done without stopping to understand
the specific situation you are dealing with. There’s a danger that you come
in with a “playbook” and expect that to work at any organization.

“I’ve been now the CISO of two different organizations, and the two
organizations actually do things very differently. But in both situations,
I had to sit down and figure out and understand, ‘Okay, how does this
organization function? Is it a governance-driven organization? Is it a
culture-driven organization?’” Bowden observed.

Once he understood how his organization functions, he developed a strategy
for implementing a cybersecurity program tailored to that environment.

“You’ve got to figure out where you’re at and what everyone else knows
before you go in trying to push mandates,” he advised.

2. Lead by building trust and influence, not by pointing at the org chart

READ MORE: Reducing Cybersecurity Vulnerabilities Part of FDA Action Plan

You can’t get people to follow your direction if you say, “Well, I’m the
CISO, you should just do it,” Bowden observed.

Instead, you need to get buy-in from the other person.  You should explain
what you want to do in language that a lay person can relate to. It’s about
building relationships with people.

“I think the sign of really strong leadership is when you can get things
done because the people around you believe in it, and they’re not doing it
because they’re beholden to your title or the org chart,” Bowden said.

3. Telegraph your plans, allow others buy-in, create joint ownership

“When there’s something big I want to get done, I start talking about it
well in advance of actually working on it,” Bowden said.

He started working on getting buy-in for his 2018 security initiatives in
the winter/spring of 2017. Initially, he experienced resistance; people
would cite various barriers to his proposals.

“By the time the budget cycle and the planning for 2018 came around, I had
these folks on board to help me execute the 2018 initiatives, and on board
in such a way that these initiatives aren’t necessarily owned specifically
by me,” he commented.

4. Act and speak like the C-suite and board are included

The Sentara CISO stressed that you need to speak about security issues in a
way that non-experts can understand. Especially for the C-suite and board,
the security conversation needs to be in terms of risk to the business.

“If you can describe the threat or vulnerabilities in such a way that they
can equate that to risks to the business, they appreciate that,” Bowden
said.

“If you want to have influence with the board, no matter who you report to,
what you need to do is talk in terms of the business and don’t get too
caught up in cybersecurity speak and jargon,” he added.

5. Make your boss and their boss look good

“I try to find out what’s on my boss’s agenda, what’s on the CEO’s agenda,
and how I can play a part in helping that be successful,” Bowden said.

For example, he worked with the company’s CIO to communicate Sentara’s
cybersecurity program to the CEO in a way that he could support.

“That made [the CEO] feel confident in what we were doing, and in a way
that he could explain our strategy to his peers of other healthcare
organizations in a cybersecurity business context,” he said.

6. Create pre-determined outcomes

“I don’t walk into a meeting and present something absolutely cold,” Bowden
said.

Instead, he lays the groundwork for the proposals before the formal
presentation. He talks “extensively” beforehand with the stakeholders to
let them express any concerns they have, and he tries to address those
concerns before his presentation.

“Not everybody likes doing that stuff because it takes a lot of time. They
just gear up for that one big presentation. They think they’re going to hit
that big homerun presentation, and everybody’s going to love it. The truth
is, half the people in there aren’t going to know what you’re talking about
if you don’t tell them beforehand,” Bowden related.

7. People first, then process, then technology

“What’s crucial here is making sure that the people on your team understand
what the role of the program is in the greater organization and that you
help them feel like they’re trained and equipped to be successful doing
that,” Bowden said.

This involves coaching, critiquing, and mentoring employees to let them
know what is expected of them and how to meet those expectations and be
successful.

“Once they believe that you’re in it to see them be successful, they’ll do
a lot of work for you on getting the processes and technology aligned,” he
said.

8. Recruit and re-recruit your people, from dedication to commitment

The people on your team should be the face of the security program. As a
leader, you should train them to succeed and then let them take ownership
of the program and commit to its success.

“My job is to come here and build the program. Maybe after I build the
program and it’s a raving success, I go somewhere else to build another
program. The way I’m going to be rated on what I did in building this
program is looking at what I left behind,” he explained.

“All of us have seen situations where a particular organization was tied so
much to the leader or the leader’s brand that when the leader left all of a
sudden there was doubt around that particular organization or the
organization seemed to falter,” he added.

9. Look for “net adds”— there is always a small win available, they add up

Instead of looking for a big, expensive solution that will “solve”
everything, a good cybersecurity leader should try to get the small things
done, and over time they add up to the big solution.

“I’ve been doing cybersecurity for long enough that I know often there are
smaller things you can do along the way that mitigate risk,” he said.

The smaller things include employee training, improving the process, and
fully implementing existing technology, he related.

10. Capitalize on crisis

Bowden cited the example of last year’s WannaCry ransomware attacks against
healthcare organizations.

“If the CEO didn’t know who the CISO was before WannaCry, they definitely
knew after,” he quipped.

This was an opportunity for the CISO to be prepared with an understanding
of the threat and possible solutions. It was also an opportunity to educate
the CEO about importance of cybersecurity hygiene and cyber incident
response planning.

“Whenever some sort of a major security incident happens outside your
organization or inside your organization, you should be prepared to move
forward quickly and use that in a way to mature your organization’s
cybersecurity program,” Bowden concluded.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180626/fe1cff9d/attachment.html>