Careers & People

9/22/2017
10:30 AM
Clyde Hewitt
Clyde Hewitt
Commentary
50%
50%

Health IT & Cybersecurity: 5 Hiring Misconceptions to Avoid

Why healthcare organizations need a good strategy to find talent, or get left behind.

The recent WannaCry and NotPetya cyber attacks should remove all doubts that organizations are safe from collateral damage when international cybercrime and perhaps even nation-state actors decide to attack. As reports of the attack surfaced, healthcare executives and CIOs especially understood that risks were not contained within the walls of their facility or even their data center, as supply chain partners like Nuance were affected. This seriously disrupted untold numbers of healthcare organizations and increased board interest to act.

One thing is clear: These new threats require new investments not only in technology but process and people. Healthcare organizations need a good strategy to find talent or get left behind. That strategy starts with countering five misconceptions.

Misconception 1: Just hire one Swiss army knife.
In reality, there are as many different cybersecurity specialties as there are different physician specialties. It is not possible to hire one physician to treat all patients, so healthcare executives should not expect to hire one specialist to meet all cybersecurity needs. For example, cybersecurity managers are needed for strategic leadership, to manage the risk analysis process, educate the workforce, and develop programs. Security architects and engineers will design solutions and implement new technology. Other security professionals operate the technical systems, manage vendors, or audit/monitor results. All of the professionals above require different training, certifications, skills, and experience.

Misconception 2: Assign all cybersecurity responsibilities to the IT department.
One clue to the wide range of cybersecurity needs lies in a properly conducted risk analysis, but only if the effort was properly scoped and performed. It is common to identify cybersecurity risks requiring a broad range of technical and non-technical responses, with responsibilities for risk mitigation assigned to many departments outside of IT, including physical security, human resources, biomedical engineering, contracts management (sometimes called strategic sourcing), and others. Unfortunately, dollars spent are a highly visible yardstick, but this disproportionately favors expensive technical solutions over many non-technical initiatives that require staff and process. In addition, the "dollar yardstick" will not necessarily represent all, or even the highest, risks present.

Misconception 3: Cybersecurity professionals and IT staff are interchangeable.
The first flaw in this logic is that cybersecurity staff does the same job as IT staff. First, while all IT staffers have some security responsibilities, it is not their primary job. Cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness, and business continuity management (not just disaster recovery). The basic skills needed are executive leadership, budgeting, and a good understanding of compliance, audit, and technology. Hiring someone into these positions requires developing a career ladder; otherwise, it will be difficult to recruit top talent. This will require the involvement of the human resources team to set pay bands for each step in the ladder based on minimum skills, experience, and certifications. It may also be necessary to work with trade organizations or organizational management resources to identify appropriate national competitive pay rates.

Misconception 4: We can always find local talent.
The demand in most markets for security talent has far outstripped supply. Healthcare organizations are competing with other domains such as manufacturing, banking, and energy, which have demonstrated that they are willing to pay higher wages and offer a better career path to be competitive. Forbes reported in 2016 that there are 1 million unfilled cybersecurity positions, a number expected to grow to more than 1.5 million by 2020. That will makes it necessary to identify potential candidates from other sources, or grow talent internally. This strategy works best when there is a mentoring program that leverages healthcare member-based organizations, outside contractors who serve in a partnership role, and frequent higher-level training. It will fail when organizations invest in the training and growth of individuals, then fail to appropriately adjust their pay bands to keep up, as the skills/pay imbalance will eventually cause attrition.

Misconception 5: Outsourcing is expensive.
Architecting and then implementing a solid security program that blends advanced technology, trained staff, mature processes, and executive support takes specialized talent. The challenge is that this type of talent is expensive and may not be interested in operating the program once deployed. Healthcare executives may want to consider outsourcing the security program development, implementation of technology and processes, even skilled resources, and then use local resources to operate the system.

In this case, the senior security official, or project sponsor, should first evaluate the level of skills the necessary for accomplishing specific measurable objectives, as well as the duration. Some tasks are better suited to a project-type of engagement, which can limit costs. Other long-term projects may require interim staffing that provides services on a part-time basis (such as a virtual chief information security officer) or on a full-time basis for a limited duration (such as biomedical security architect). Any of these models work, as there are advantages to all. Don't forget that periodic reviews are valuable for providing midcourse corrections, filling specific skill gaps in recruiting, and staff augmentation. 

Addressing security vulnerabilities and building a security management program requires leadership and resources that can be met with both internal and vendor-supported roles. The process of identifying a leader to manage the transformation requires an individual with a broad set of skills. However, trying to find one person to meet all requirements is unlikely and ill-advised. It takes a team, but every team needs a leader. 

Related Content:

  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Clyde Hewitt is vice president of security strategy at CynergisTek. He brings more than 30 years of executive leadership experience in cybersecurity to his current position, where his many responsibilities include being the senior security advisor and client executive, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Clyde Hewitt
50%
50%
Clyde Hewitt,
User Rank: Author
9/25/2017 | 3:22:58 PM
Re: Health IT
Thank you for your comment Martin George. The article was targeted to the healthcare audience, but the comments are valid for most all domains. 
martin.george
100%
0%
martin.george,
User Rank: Apprentice
9/25/2017 | 11:10:28 AM
Health IT
it is really hard to say, that IT is really health, it is very difficult theme, and it is not so easy as it may seem at the first time 
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Number of Retailers Impacted by Breaches Doubles
Ericka Chickowski, Contributing Writer, Dark Reading,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to build 437 contains a Cross Site Scripting (XSS) vulnerability in the Media module and create folder functionality that can result in an Authenticated user with media module permission creating arbitrary folder name with XSS content. This attack appear to be exploitable v...
CVE-2018-19990
PUBLISHED: 2018-07-23
October CMS version prior to Build 437 contains a Local File Inclusion vulnerability in modules/system/traits/ViewMaker.php#244 (makeFileContents function) that can result in Sensitive information disclosure and remote code execution. This attack appear to be exploitable remotely if the /backend pat...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit cced03dd667a5df6df8fd40d8de0bff477ee02e8 contains multiple out of array access vulnerabilities in the mms protocol that can result in attackers accessing out of bound data. This attack appear to be exploitable via network connectivity. This vulnerability appears to have been fix...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 2b46ebdbff1d8dec7a3d8ea280a612b91a582869 contains a Buffer Overflow vulnerability in asf_o format demuxer that can result in heap-buffer-overflow that may result in remote code execution. This attack appears to be exploitable via specially crafted ASF file that has to be provide...
CVE-2018-19990
PUBLISHED: 2018-07-23
FFmpeg before commit 9807d3976be0e92e4ece3b4b1701be894cd7c2e1 contains a CWE-835: Infinite loop vulnerability in pva format demuxer that can result in a Vulnerability that allows attackers to consume excessive amount of resources like CPU and RAM. This attack appear to be exploitable via specially c...