- Faced with an onslaught of threats these days, healthcare chief information security officers (CISOs) need to take a deep breath and focus on cybersecurity best practices.
The number and frequency of these threats—ransomware, cryptocurrency mining, data-stealing malware, advanced persistent threats, malicious insiders, and careless employees, to name a few—can be overwhelming. It can seem like healthcare CISOs and their teams are always one step behind the well-funded bad guys.
Sentara Healthcare CISO Dan Bowden has learned some hard lessons about improving cybersecurity during his career as a healthcare CISO.
In an exclusive interview, Bowden spoke with HealthITSecurity.com about the top ten lessons he has learned and best practices he has adopted over his long IT career:
1. Seek first to understand, and then to be understood – Stephen Covey
There is a danger that when you get to an executive level in your career, you assume you know what needs to be done without stopping to understand the specific situation you are dealing with. There’s a danger that you come in with a “playbook” and expect that to work at any organization.
“I’ve been now the CISO of two different organizations, and the two organizations actually do things very differently. But in both situations, I had to sit down and figure out and understand, ‘Okay, how does this organization function? Is it a governance-driven organization? Is it a culture-driven organization?’” Bowden observed.
Once he understood how his organization functions, he developed a strategy for implementing a cybersecurity program tailored to that environment.
“You’ve got to figure out where you’re at and what everyone else knows before you go in trying to push mandates,” he advised.
2. Lead by building trust and influence, not by pointing at the org chart
You can’t get people to follow your direction if you say, “Well, I’m the CISO, you should just do it,” Bowden observed.
Instead, you need to get buy-in from the other person. You should explain what you want to do in language that a lay person can relate to. It’s about building relationships with people.
“I think the sign of really strong leadership is when you can get things done because the people around you believe in it, and they’re not doing it because they’re beholden to your title or the org chart,” Bowden said.
3. Telegraph your plans, allow others buy-in, create joint ownership
“When there’s something big I want to get done, I start talking about it well in advance of actually working on it,” Bowden said.
He started working on getting buy-in for his 2018 security initiatives in the winter/spring of 2017. Initially, he experienced resistance; people would cite various barriers to his proposals.
“By the time the budget cycle and the planning for 2018 came around, I had these folks on board to help me execute the 2018 initiatives, and on board in such a way that these initiatives aren’t necessarily owned specifically by me,” he commented.
4. Act and speak like the C-suite and board are included
The Sentara CISO stressed that you need to speak about security issues in a way that non-experts can understand. Especially for the C-suite and board, the security conversation needs to be in terms of risk to the business.
“If you can describe the threat or vulnerabilities in such a way that they can equate that to risks to the business, they appreciate that,” Bowden said.
“If you want to have influence with the board, no matter who you report to, what you need to do is talk in terms of the business and don’t get too caught up in cybersecurity speak and jargon,” he added.
5. Make your boss and their boss look good
“I try to find out what’s on my boss’s agenda, what’s on the CEO’s agenda, and how I can play a part in helping that be successful,” Bowden said.
For example, he worked with the company’s CIO to communicate Sentara’s cybersecurity program to the CEO in a way that he could support.
“That made [the CEO] feel confident in what we were doing, and in a way that he could explain our strategy to his peers of other healthcare organizations in a cybersecurity business context,” he said.
6. Create pre-determined outcomes
“I don’t walk into a meeting and present something absolutely cold,” Bowden said.
Instead, he lays the groundwork for the proposals before the formal presentation. He talks “extensively” beforehand with the stakeholders to let them express any concerns they have, and he tries to address those concerns before his presentation.
“Not everybody likes doing that stuff because it takes a lot of time. They just gear up for that one big presentation. They think they’re going to hit that big homerun presentation, and everybody’s going to love it. The truth is, half the people in there aren’t going to know what you’re talking about if you don’t tell them beforehand,” Bowden related.
7. People first, then process, then technology
“What’s crucial here is making sure that the people on your team understand what the role of the program is in the greater organization and that you help them feel like they’re trained and equipped to be successful doing that,” Bowden said.
This involves coaching, critiquing, and mentoring employees to let them know what is expected of them and how to meet those expectations and be successful.
“Once they believe that you’re in it to see them be successful, they’ll do a lot of work for you on getting the processes and technology aligned,” he said.
8. Recruit and re-recruit your people, from dedication to commitment
The people on your team should be the face of the security program. As a leader, you should train them to succeed and then let them take ownership of the program and commit to its success.
“My job is to come here and build the program. Maybe after I build the program and it’s a raving success, I go somewhere else to build another program. The way I’m going to be rated on what I did in building this program is looking at what I left behind,” he explained.
“All of us have seen situations where a particular organization was tied so much to the leader or the leader’s brand that when the leader left all of a sudden there was doubt around that particular organization or the organization seemed to falter,” he added.
9. Look for “net adds”— there is always a small win available, they add up
Instead of looking for a big, expensive solution that will “solve” everything, a good cybersecurity leader should try to get the small things done, and over time they add up to the big solution.
“I’ve been doing cybersecurity for long enough that I know often there are smaller things you can do along the way that mitigate risk,” he said.
The smaller things include employee training, improving the process, and fully implementing existing technology, he related.
10. Capitalize on crisis
Bowden cited the example of last year’s WannaCry ransomware attacks against healthcare organizations.
“If the CEO didn’t know who the CISO was before WannaCry, they definitely knew after,” he quipped.
This was an opportunity for the CISO to be prepared with an understanding of the threat and possible solutions. It was also an opportunity to educate the CEO about importance of cybersecurity hygiene and cyber incident response planning.
“Whenever some sort of a major security incident happens outside your organization or inside your organization, you should be prepared to move forward quickly and use that in a way to mature your organization’s cybersecurity program,” Bowden concluded.