Careers & People

10:30 AM
Clyde Hewitt
Clyde Hewitt

Health IT & Cybersecurity: 5 Hiring Misconceptions to Avoid

Why healthcare organizations need a good strategy to find talent, or get left behind.

The recent WannaCry and NotPetya cyber attacks should remove all doubts that organizations are safe from collateral damage when international cybercrime and perhaps even nation-state actors decide to attack. As reports of the attack surfaced, healthcare executives and CIOs especially understood that risks were not contained within the walls of their facility or even their data center, as supply chain partners like Nuance were affected. This seriously disrupted untold numbers of healthcare organizations and increased board interest to act.

One thing is clear: These new threats require new investments not only in technology but process and people. Healthcare organizations need a good strategy to find talent or get left behind. That strategy starts with countering five misconceptions.

Misconception 1: Just hire one Swiss army knife.
In reality, there are as many different cybersecurity specialties as there are different physician specialties. It is not possible to hire one physician to treat all patients, so healthcare executives should not expect to hire one specialist to meet all cybersecurity needs. For example, cybersecurity managers are needed for strategic leadership, to manage the risk analysis process, educate the workforce, and develop programs. Security architects and engineers will design solutions and implement new technology. Other security professionals operate the technical systems, manage vendors, or audit/monitor results. All of the professionals above require different training, certifications, skills, and experience.

Misconception 2: Assign all cybersecurity responsibilities to the IT department.
One clue to the wide range of cybersecurity needs lies in a properly conducted risk analysis, but only if the effort was properly scoped and performed. It is common to identify cybersecurity risks requiring a broad range of technical and non-technical responses, with responsibilities for risk mitigation assigned to many departments outside of IT, including physical security, human resources, biomedical engineering, contracts management (sometimes called strategic sourcing), and others. Unfortunately, dollars spent are a highly visible yardstick, but this disproportionately favors expensive technical solutions over many non-technical initiatives that require staff and process. In addition, the "dollar yardstick" will not necessarily represent all, or even the highest, risks present.

Misconception 3: Cybersecurity professionals and IT staff are interchangeable.
The first flaw in this logic is that cybersecurity staff does the same job as IT staff. First, while all IT staffers have some security responsibilities, it is not their primary job. Cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness, and business continuity management (not just disaster recovery). The basic skills needed are executive leadership, budgeting, and a good understanding of compliance, audit, and technology. Hiring someone into these positions requires developing a career ladder; otherwise, it will be difficult to recruit top talent. This will require the involvement of the human resources team to set pay bands for each step in the ladder based on minimum skills, experience, and certifications. It may also be necessary to work with trade organizations or organizational management resources to identify appropriate national competitive pay rates.

Misconception 4: We can always find local talent.
The demand in most markets for security talent has far outstripped supply. Healthcare organizations are competing with other domains such as manufacturing, banking, and energy, which have demonstrated that they are willing to pay higher wages and offer a better career path to be competitive. Forbes reported in 2016 that there are 1 million unfilled cybersecurity positions, a number expected to grow to more than 1.5 million by 2020. That will makes it necessary to identify potential candidates from other sources, or grow talent internally. This strategy works best when there is a mentoring program that leverages healthcare member-based organizations, outside contractors who serve in a partnership role, and frequent higher-level training. It will fail when organizations invest in the training and growth of individuals, then fail to appropriately adjust their pay bands to keep up, as the skills/pay imbalance will eventually cause attrition.

Misconception 5: Outsourcing is expensive.
Architecting and then implementing a solid security program that blends advanced technology, trained staff, mature processes, and executive support takes specialized talent. The challenge is that this type of talent is expensive and may not be interested in operating the program once deployed. Healthcare executives may want to consider outsourcing the security program development, implementation of technology and processes, even skilled resources, and then use local resources to operate the system.

In this case, the senior security official, or project sponsor, should first evaluate the level of skills the necessary for accomplishing specific measurable objectives, as well as the duration. Some tasks are better suited to a project-type of engagement, which can limit costs. Other long-term projects may require interim staffing that provides services on a part-time basis (such as a virtual chief information security officer) or on a full-time basis for a limited duration (such as biomedical security architect). Any of these models work, as there are advantages to all. Don't forget that periodic reviews are valuable for providing midcourse corrections, filling specific skill gaps in recruiting, and staff augmentation. 

Addressing security vulnerabilities and building a security management program requires leadership and resources that can be met with both internal and vendor-supported roles. The process of identifying a leader to manage the transformation requires an individual with a broad set of skills. However, trying to find one person to meet all requirements is unlikely and ill-advised. It takes a team, but every team needs a leader. 

Related Content:


Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Clyde Hewitt is vice president of security strategy at CynergisTek. He brings more than 30 years of executive leadership experience in cybersecurity to his current position, where his many responsibilities include being the senior security advisor and client executive, ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Clyde Hewitt
Clyde Hewitt,
User Rank: Author
9/25/2017 | 3:22:58 PM
Re: Health IT
Thank you for your comment Martin George. The article was targeted to the healthcare audience, but the comments are valid for most all domains.
User Rank: Apprentice
9/25/2017 | 11:10:28 AM
Health IT
it is really hard to say, that IT is really health, it is very difficult theme, and it is not so easy as it may seem at the first time 
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
IoT Product Safety: If It Appears Too Good to Be True, It Probably Is
Pat Osborne, Principal - Executive Consultant at Outhaul Consulting, LLC, & Cybersecurity Advisor for the Security Innovation Center,  3/12/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
Surviving the IT Security Skills Shortage
Surviving the IT Security Skills Shortage
Cybersecurity professionals are in high demand -- and short supply. Find out what Dark Reading discovered during their 2017 Security Staffing Survey and get some strategies for getting through the drought. Download the report today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.