The recent WannaCry and NotPetya cyber attacks should remove all doubts that organizations are safe from collateral damage when international cybercrime and perhaps even nation-state actors decide to attack. As reports of the attack surfaced, healthcare executives and CIOs especially understood that risks were not contained within the walls of their facility or even their data center, as supply chain partners like Nuance were affected. This seriously disrupted untold numbers of healthcare organizations and increased board interest to act.
One thing is clear: These new threats require new investments not only in technology but process and people. Healthcare organizations need a good strategy to find talent or get left behind. That strategy starts with countering five misconceptions.
Misconception 1: Just hire one Swiss army knife.
In reality, there are as many different cybersecurity specialties as there are different physician specialties. It is not possible to hire one physician to treat all patients, so healthcare executives should not expect to hire one specialist to meet all cybersecurity needs. For example, cybersecurity managers are needed for strategic leadership, to manage the risk analysis process, educate the workforce, and develop programs. Security architects and engineers will design solutions and implement new technology. Other security professionals operate the technical systems, manage vendors, or audit/monitor results. All of the professionals above require different training, certifications, skills, and experience.
Misconception 2: Assign all cybersecurity responsibilities to the IT department.
One clue to the wide range of cybersecurity needs lies in a properly conducted risk analysis, but only if the effort was properly scoped and performed. It is common to identify cybersecurity risks requiring a broad range of technical and non-technical responses, with responsibilities for risk mitigation assigned to many departments outside of IT, including physical security, human resources, biomedical engineering, contracts management (sometimes called strategic sourcing), and others. Unfortunately, dollars spent are a highly visible yardstick, but this disproportionately favors expensive technical solutions over many non-technical initiatives that require staff and process. In addition, the "dollar yardstick" will not necessarily represent all, or even the highest, risks present.
Misconception 3: Cybersecurity professionals and IT staff are interchangeable.
The first flaw in this logic is that cybersecurity staff does the same job as IT staff. First, while all IT staffers have some security responsibilities, it is not their primary job. Cybersecurity professionals need to have a broad range of skills beyond IT, including business process, vendor management, physical security, threat awareness, and business continuity management (not just disaster recovery). The basic skills needed are executive leadership, budgeting, and a good understanding of compliance, audit, and technology. Hiring someone into these positions requires developing a career ladder; otherwise, it will be difficult to recruit top talent. This will require the involvement of the human resources team to set pay bands for each step in the ladder based on minimum skills, experience, and certifications. It may also be necessary to work with trade organizations or organizational management resources to identify appropriate national competitive pay rates.
Misconception 4: We can always find local talent.
The demand in most markets for security talent has far outstripped supply. Healthcare organizations are competing with other domains such as manufacturing, banking, and energy, which have demonstrated that they are willing to pay higher wages and offer a better career path to be competitive. Forbes reported in 2016 that there are 1 million unfilled cybersecurity positions, a number expected to grow to more than 1.5 million by 2020. That will makes it necessary to identify potential candidates from other sources, or grow talent internally. This strategy works best when there is a mentoring program that leverages healthcare member-based organizations, outside contractors who serve in a partnership role, and frequent higher-level training. It will fail when organizations invest in the training and growth of individuals, then fail to appropriately adjust their pay bands to keep up, as the skills/pay imbalance will eventually cause attrition.
Misconception 5: Outsourcing is expensive.
Architecting and then implementing a solid security program that blends advanced technology, trained staff, mature processes, and executive support takes specialized talent. The challenge is that this type of talent is expensive and may not be interested in operating the program once deployed. Healthcare executives may want to consider outsourcing the security program development, implementation of technology and processes, even skilled resources, and then use local resources to operate the system.
In this case, the senior security official, or project sponsor, should first evaluate the level of skills the necessary for accomplishing specific measurable objectives, as well as the duration. Some tasks are better suited to a project-type of engagement, which can limit costs. Other long-term projects may require interim staffing that provides services on a part-time basis (such as a virtual chief information security officer) or on a full-time basis for a limited duration (such as biomedical security architect). Any of these models work, as there are advantages to all. Don't forget that periodic reviews are valuable for providing midcourse corrections, filling specific skill gaps in recruiting, and staff augmentation.
Addressing security vulnerabilities and building a security management program requires leadership and resources that can be met with both internal and vendor-supported roles. The process of identifying a leader to manage the transformation requires an individual with a broad set of skills. However, trying to find one person to meet all requirements is unlikely and ill-advised. It takes a team, but every team needs a leader.
- Why InfoSec Hiring Managers Miss the Oasis in the Desert
- NotPetya: How to Prep and Respond if You're Hit
- The 'Team of Teams' Model for Cybersecurity
- Hacking the Security Job Application Process
Join Dark Reading LIVE for two days of practical cyber defense discussions. Learn from the industry’s most knowledgeable IT security experts. Check out the INsecurity agenda here.