- As the healthcare cybersecurity threats and data security challenges continue to evolve, CISOs must ensure that they remain educated on the best options for keeping sensitive data secure.
However, CISOs need to also find the right balance between maintaining security, while still not impeding daily workflow. This can often prove difficult, especially with the variety of potential vendor solutions and communication challenges within an organization.
This can lead to ‘solutions fatigue’ or ‘solutions overload,’ according to the Institute for Critical Infrastructure Technology (ICIT). In a recent paper, CISO Solution Fatigue: Overcoming the Challenges of Cybersecurity Solution Overload, ICIT explained that modern CISOs often feel pressure to find comprehensive solutions but that there is also an overabundance of vendor solutions.
In the federal agency and critical infrastructure space in particular, the CISO role is a fairly new position, according to ICIT Co-founder and Senior Fellow James Scott.
“It seems like they’re torn between the technological side of security and the day to day aspects of working with management for the business model,” explained Scott, who also co-authored the paper. “There is also the financial component of having to spend money on layered security, and understanding how they demonstrate that with the ROI. There’s all these contributing factors while simultaneously there is the evolving threat landscape.”
Between 2010 and 2015, there was a drastic increase in the number of vendor start-ups for all aspects of cybersecurity, Scott added. Furthermore, security-as-a-service (SaaS), decreased the entry barrier into this space and led a lot of “silver bullet solution” sales pitches.
“That undermined the greater community aspect of cybersecurity and it really poisoned vendor-consumer relationships,” said Scott. “They were aggressively pushing services on CISOs, denouncing competitors, and the industry became kind of toxic. There is also the pressure of having to demonstrate some type of ROI as a CISO. These are all contributing factors to the fatigue that they’re experiencing.”
However, Scott underlined the fact that it does not all need to be “doom and gloom,” and that CISOs can overcome solutions overload by altering their business model to focus on long-term stability over short-term gains.
“When they take that into consideration with their model, that will preclude some vendors,” he stated. “It’s good to have the latest and greatest, but there are certain elements to security that out of the box people aren’t really considering.”
It will also be beneficial to have qualified tech people fielding vendor calls, added Scott. A CISO can have a qualified IT employee, perhaps a network expert, etc. These staff members should be qualified to listen to the introductory pitch, which will also free up the CISO schedule to work on other things.
Healthcare CISOs and patient data security
For healthcare CISOs in particular, their solutions overload is also often due to the vulnerability of the network, according to Scott.
This can be compounded through cases of “Frankensteined” technologies, where certain devices that were not meant to be connected to a network, are adjusted to do so.
Healthcare organizations are also in possession of extremely sensitive data, such as PII and PHI.
“They are dealing with sophisticated APTs, that are state-sponsored or mercenary,” Scott warned. “But they are also dealing with the random ransomware email that uses extremely basic social engineering to get in, like through an email. Dealing with employee education is also important. They’re dealing with everything.”
Healthcare CISOs should absolutely access the people around them to start fielding pitches for new technologies, he advised.
“As far as communication, they should be in charge of the actual final approval of the technologies,” Scott said.
Moreover, healthcare CISOs need to ensure there is clear communication with the board and other C-level executives on several key issues, including the ROI and any public relations issues should a data breach occur. This could help to reverse calculate the value that they are bringing, which a lot of organizations are not doing, he explained.
The growing and changing CISO role
The CISO role has evolved as the threat landscape has hyper-evolved, according to Scott.
“Back in the day, it was more along the lines of network security from DDoS attacks. It was a different nature of maliciousness,” he explained. “Now, as far as the role, it’s managing third parties that have indirect network access. It’s managing the whole threat landscape.”
Employees also need to be educated on the latest potential threats, such as what the latest ransomware email looks like, he added. General staff should be educated on the day-to-day operations and be done on a regular basis.
“They’ve had to expand their fluent comprehension of new technologies,” Scott said. “And then there are different types of analytics, and the various spectrum of analytics, such as user behavior analytics, or user behavioral biotech.”
In the healthcare space in particular, CISOs have almost had to sell security to their organization. It can be a challenge to explain to the CEO or CFO why so much more money is needed to keep data secure.
“CISOs need to be able to say, ‘Well, 10 years ago we only needed this much money to protect the company from attacks and breaches, but now we need three times that amount and here’s why.’ They have to go in and sell the need to the board while simultaneously trying to protect their organization with virtually archaic technologies.”
Essentially, healthcare CISOs have to sell the idea of ‘here is all of the threats,” and that is often based off what could happen, not necessarily what has happened already.
That can be a big change for many individuals in that role, Scott explained. However, it’s important to approach the situation by working toward finding solutions, rather than becoming too overwhelmed.