Careers & People

9/22/2017
10:30 AM
Clyde Hewitt
Clyde Hewitt
Commentary
50%
50%

Health IT & Cybersecurity: 5 Hiring Misconceptions to Avoid

Why healthcare organizations need a good strategy to find talent, or get left behind.

The recent WannaCry and NotPetya cyber attacks should remove all doubts that organizations are safe from collateral damage when international cybercrime and perhaps even nation-state actors decide to attack. As reports of the attack surfaced, healthcare executives and CIOs especially understood that risks were not contained within the walls of their facility or even their data center, as supply chain partners like Nuance were affected. This seriously disrupted untold numbers of healthcare organizations and increased board interest to act.

One thing is clear: These new threats require new investments not only in technology but process and people. Healthcare organizations need a good strategy to find talent or get left behind. That strategy starts with countering five misconceptions.

Misconception 1: Just hire one Swiss army knife.
In reality, there are as many different cybersecurity specialties as there are different physician specialties. It is not possible to hire one physician to treat all patients, so healthcare executives should not expect to hire one specialist to meet all cybersecurity needs. For example, cybersecurity managers are needed for strategic leadership, to manage the risk analysis process, educate the workforce, and develop programs. Security architects and engineers will design solutions and implement new technology. Other security professionals operate the technical systems, manage vendors, or audit/monitor results. All of the professionals above require different training, certifications, skills, and experience.

Misconception 2: Assign all cybersecurity responsibilities to the IT department.
One clue to the wide range of cybersecurity needs lies in a properly conducted risk analysis, but only if the effort was properly scoped and performed. It is common to identify cybersecurity risks requiring a broad range of technical and non-technical responses, with responsibilities for risk mitigation assigned to many departments outside of IT, including physical security, human resources, biomedical engineering, contracts management (sometimes called strategic sourcing), and others. Unfortunately, dollars spent are a highly visible yardstick, but this disproportionately favors expensive technical solutions over many non-technical initiatives that require staff and process. In addition, the "dollar yardstick" will not necessarily represent all, or even the highest, risks present.

Misconception 3: Cybersecurity professionals and IT staff are interchangeable.
The first flaw in this logic is that cybersecurity staff does the same job as IT staff. First, while all IT staffers have some security responsibilities, it is not their primary job. Cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness, and business continuity management (not just disaster recovery). The basic skills needed are executive leadership, budgeting, and a good understanding of compliance, audit, and technology. Hiring someone into these positions requires developing a career ladder; otherwise, it will be difficult to recruit top talent. This will require the involvement of the human resources team to set pay bands for each step in the ladder based on minimum skills, experience, and certifications. It may also be necessary to work with trade organizations or organizational management resources to identify appropriate national competitive pay rates.

Misconception 4: We can always find local talent.
The demand in most markets for security talent has far outstripped supply. Healthcare organizations are competing with other domains such as manufacturing, banking, and energy, which have demonstrated that they are willing to pay higher wages and offer a better career path to be competitive. Forbes reported in 2016 that there are 1 million unfilled cybersecurity positions, a number expected to grow to more than 1.5 million by 2020. That will makes it necessary to identify potential candidates from other sources, or grow talent internally. This strategy works best when there is a mentoring program that leverages healthcare member-based organizations, outside contractors who serve in a partnership role, and frequent higher-level training. It will fail when organizations invest in the training and growth of individuals, then fail to appropriately adjust their pay bands to keep up, as the skills/pay imbalance will eventually cause attrition.

Misconception 5: Outsourcing is expensive.
Architecting and then implementing a solid security program that blends advanced technology, trained staff, mature processes, and executive support takes specialized talent. The challenge is that this type of talent is expensive and may not be interested in operating the program once deployed. Healthcare executives may want to consider outsourcing the security program development, implementation of technology and processes, even skilled resources, and then use local resources to operate the system.

In this case, the senior security official, or project sponsor, should first evaluate the level of skills the necessary for accomplishing specific measurable objectives, as well as the duration. Some tasks are better suited to a project-type of engagement, which can limit costs. Other long-term projects may require interim staffing that provides services on a part-time basis (such as a virtual chief information security officer) or on a full-time basis for a limited duration (such as biomedical security architect). Any of these models work, as there are advantages to all. Don't forget that periodic reviews are valuable for providing midcourse corrections, filling specific skill gaps in recruiting, and staff augmentation. 

Addressing security vulnerabilities and building a security management program requires leadership and resources that can be met with both internal and vendor-supported roles. The process of identifying a leader to manage the transformation requires an individual with a broad set of skills. However, trying to find one person to meet all requirements is unlikely and ill-advised. It takes a team, but every team needs a leader. 

Related Content:

  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Clyde Hewitt is vice president of security strategy at CynergisTek. He brings more than 30 years of executive leadership experience in cybersecurity to his current position, where his many responsibilities include being the senior security advisor and client executive, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Clyde Hewitt
50%
50%
Clyde Hewitt,
User Rank: Author
9/25/2017 | 3:22:58 PM
Re: Health IT
Thank you for your comment Martin George. The article was targeted to the healthcare audience, but the comments are valid for most all domains. 
martin.george
100%
0%
martin.george,
User Rank: Apprentice
9/25/2017 | 11:10:28 AM
Health IT
it is really hard to say, that IT is really health, it is very difficult theme, and it is not so easy as it may seem at the first time 
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
How Systematic Lying Can Improve Your Security
Lance Cottrell, Chief Scientist, Ntrepid,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.