Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Careers & People

9/22/2017
10:30 AM
Clyde Hewitt
Clyde Hewitt
Commentary
50%
50%

Health IT & Cybersecurity: 5 Hiring Misconceptions to Avoid

Why healthcare organizations need a good strategy to find talent, or get left behind.

The recent WannaCry and NotPetya cyber attacks should remove all doubts that organizations are safe from collateral damage when international cybercrime and perhaps even nation-state actors decide to attack. As reports of the attack surfaced, healthcare executives and CIOs especially understood that risks were not contained within the walls of their facility or even their data center, as supply chain partners like Nuance were affected. This seriously disrupted untold numbers of healthcare organizations and increased board interest to act.

One thing is clear: These new threats require new investments not only in technology but process and people. Healthcare organizations need a good strategy to find talent or get left behind. That strategy starts with countering five misconceptions.

Misconception 1: Just hire one Swiss army knife.
In reality, there are as many different cybersecurity specialties as there are different physician specialties. It is not possible to hire one physician to treat all patients, so healthcare executives should not expect to hire one specialist to meet all cybersecurity needs. For example, cybersecurity managers are needed for strategic leadership, to manage the risk analysis process, educate the workforce, and develop programs. Security architects and engineers will design solutions and implement new technology. Other security professionals operate the technical systems, manage vendors, or audit/monitor results. All of the professionals above require different training, certifications, skills, and experience.

Misconception 2: Assign all cybersecurity responsibilities to the IT department.
One clue to the wide range of cybersecurity needs lies in a properly conducted risk analysis, but only if the effort was properly scoped and performed. It is common to identify cybersecurity risks requiring a broad range of technical and non-technical responses, with responsibilities for risk mitigation assigned to many departments outside of IT, including physical security, human resources, biomedical engineering, contracts management (sometimes called strategic sourcing), and others. Unfortunately, dollars spent are a highly visible yardstick, but this disproportionately favors expensive technical solutions over many non-technical initiatives that require staff and process. In addition, the "dollar yardstick" will not necessarily represent all, or even the highest, risks present.

Misconception 3: Cybersecurity professionals and IT staff are interchangeable.
The first flaw in this logic is that cybersecurity staff does the same job as IT staff. First, while all IT staffers have some security responsibilities, it is not their primary job. Cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness, and business continuity management (not just disaster recovery). The basic skills needed are executive leadership, budgeting, and a good understanding of compliance, audit, and technology. Hiring someone into these positions requires developing a career ladder; otherwise, it will be difficult to recruit top talent. This will require the involvement of the human resources team to set pay bands for each step in the ladder based on minimum skills, experience, and certifications. It may also be necessary to work with trade organizations or organizational management resources to identify appropriate national competitive pay rates.

Misconception 4: We can always find local talent.
The demand in most markets for security talent has far outstripped supply. Healthcare organizations are competing with other domains such as manufacturing, banking, and energy, which have demonstrated that they are willing to pay higher wages and offer a better career path to be competitive. Forbes reported in 2016 that there are 1 million unfilled cybersecurity positions, a number expected to grow to more than 1.5 million by 2020. That will makes it necessary to identify potential candidates from other sources, or grow talent internally. This strategy works best when there is a mentoring program that leverages healthcare member-based organizations, outside contractors who serve in a partnership role, and frequent higher-level training. It will fail when organizations invest in the training and growth of individuals, then fail to appropriately adjust their pay bands to keep up, as the skills/pay imbalance will eventually cause attrition.

Misconception 5: Outsourcing is expensive.
Architecting and then implementing a solid security program that blends advanced technology, trained staff, mature processes, and executive support takes specialized talent. The challenge is that this type of talent is expensive and may not be interested in operating the program once deployed. Healthcare executives may want to consider outsourcing the security program development, implementation of technology and processes, even skilled resources, and then use local resources to operate the system.

In this case, the senior security official, or project sponsor, should first evaluate the level of skills the necessary for accomplishing specific measurable objectives, as well as the duration. Some tasks are better suited to a project-type of engagement, which can limit costs. Other long-term projects may require interim staffing that provides services on a part-time basis (such as a virtual chief information security officer) or on a full-time basis for a limited duration (such as biomedical security architect). Any of these models work, as there are advantages to all. Don't forget that periodic reviews are valuable for providing midcourse corrections, filling specific skill gaps in recruiting, and staff augmentation. 

Addressing security vulnerabilities and building a security management program requires leadership and resources that can be met with both internal and vendor-supported roles. The process of identifying a leader to manage the transformation requires an individual with a broad set of skills. However, trying to find one person to meet all requirements is unlikely and ill-advised. It takes a team, but every team needs a leader. 

Related Content:

  

Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.

Clyde Hewitt is vice president of security strategy at CynergisTek. He brings more than 30 years of executive leadership experience in cybersecurity to his current position, where his many responsibilities include being the senior security advisor and client executive, ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Clyde Hewitt
50%
50%
Clyde Hewitt,
User Rank: Author
9/25/2017 | 3:22:58 PM
Re: Health IT
Thank you for your comment Martin George. The article was targeted to the healthcare audience, but the comments are valid for most all domains. 
martin.george
100%
0%
martin.george,
User Rank: Apprentice
9/25/2017 | 11:10:28 AM
Health IT
it is really hard to say, that IT is really health, it is very difficult theme, and it is not so easy as it may seem at the first time 
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/10/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Exploiting Google Cloud Platform With Ease
Dark Reading Staff 8/6/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8904
PUBLISHED: 2020-08-12
An arbitrary memory overwrite vulnerability in the trusted memory of Asylo exists in versions prior to 0.6.0. As the ecall_restore function fails to validate the range of the output_len pointer, an attacker can manipulate the tmp_output_len value and write to an arbitrary location in the trusted (en...
CVE-2020-8905
PUBLISHED: 2020-08-12
A buffer length validation vulnerability in Asylo versions prior to 0.6.0 allows an attacker to read data they should not have access to. The 'enc_untrusted_recvfrom' function generates a return value which is deserialized by 'MessageReader', and copied into three different 'extents'. The length of ...
CVE-2020-12106
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows unauthenticated users to send HTTP POST request to several critical Administrative functions such as, changing credentials of the Administrator account or connect the product to a rogue access point.
CVE-2020-12107
PUBLISHED: 2020-08-12
The Web portal of the WiFi module of VPNCrypt M10 2.6.5 allows command injection via a text field, which allow full control over this module's Operating System.
CVE-2020-7374
PUBLISHED: 2020-08-12
Documalis Free PDF Editor version 5.7.2.26 and Documalis Free PDF Scanner version 5.7.2.122 do not appropriately validate the contents of JPEG images contained within a PDF. Attackers can exploit this vulnerability to trigger a buffer overflow on the stack and gain remote code execution as the user ...