![Page 1: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/1.jpg)
Selecting The Right CISO April 13, 2015 Mac McMillan
Chair, HIMSS Privacy & Security Task Force
DISCLAIMER: The views and opinions expressed in this presentation are those of the author and do not necessarily represent official policy or position of HIMSS.
Heather Roszkowski
CISO, The University of Vermont Medical Center
![Page 2: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/2.jpg)
Conflict of Interest Mac McMillan, MA Heather Roszkowski, MSIA No real or apparent conflicts of interest to report.
© HIMSS 2015
![Page 3: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/3.jpg)
Learning Objectives 1. Assess current operational and threat environment factors that inform the
working knowledge that CISOs must possess to succeed in Healthcare 2. Identify the required skills, knowledge and experience healthcare information
security officers need today 3. Explain how to build the critical structures and a supportive ecosystem to
enable a successful information security program 4. Develop the knowledge to recruit, select and fill key information security
positions with the right candidates
![Page 4: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/4.jpg)
Understanding the Value of the CISO
Greater Confidence,
Trust & Patient Safety
Operational Savings
Patient, Provider Staff Satisfaction
Quality & Safety
E3 Reliable
Data Prevention
Patient Education
An Introduction to the Benefits Realized for the Value of Health IT
![Page 5: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/5.jpg)
Agenda • Your Cheese Has Moved • Professional Skills • Personal Skills • Environmental Factors • Q&A
![Page 6: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/6.jpg)
Polling Question
Is security in your organization perceived as: A. A top priority B. Somewhat a priority C. A lesser priority D. Not a priority https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23194
![Page 7: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/7.jpg)
Your Cheese Has Moved
Understanding The Importance of The Professional CISO
![Page 8: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/8.jpg)
Security Challenges Are Increasing
• Insider threats
• Supply chain risks
• Medical device insecurity
• Malware & advance persistent threats
• Mobile devices & mobile apps
• ID theft & fraud
• Physical theft & loss
• Emerging threats
![Page 9: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/9.jpg)
Discovery, Notification &
Response
Business Disruption
ID Theft Monitoring
Investigation/Review
Civil Penalties
Federal CAP/RA
State Actions
Law Suit Defense
Criminal Penalties
Insurance
Degradation of Brand/Image
Distraction of Staff
VBP Payments Impacts
HCAPPS Score Impacts
Patient Confidence/Loy
alty
Physician Alignment/Nurse
s and Staff Agreement
Security Incidents Are Costing Us More
![Page 10: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/10.jpg)
The Threat Has Evolved • 4M medical records maintained
on four workstations • Physician loses laptop with
psychiatric patients records • Neurologic institute accidentally
emails 10,000 patient records to 200 patients
• Phishing/hacking nets nearly $3M from six healthcare entities
• University reports laptop with patient information stolen out of student’s car
• Printers returned to leasing company compromise thousands of patient records
• Portable electronic device with patient data stolen from hospital
• 2200 physicians victims of ID theft/tax fraud
• Vendor sends 800 letters with patient information to the wrong addresses
• Vendor sells hospital’s X-rays (films) to third party
• 400 hospitals’ billings delayed as clearinghouse hit with ransomware
• Resident loses track of USB with over 500 orthopedic patients’ information
• APT causes major breach, 4.5M patient records stolen
• Physician robbed at gunpoint, threatened for passwords
• State Sponsored Foreign Hackers attack, 80M identifies stolen
![Page 11: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/11.jpg)
Increased Reliance & Hyper Connectivity
• Today’s CISO has to understand business needs
• Must have security expertise to match the cyber threats and business demand
• Understanding HIPAA is not enough in today’s modern health IT environment
• It’s not about compliance, it’s about assurance
Big Data
Physician Alignment
BYOD
Patient Engagement
Supply Chain
HIEs
MU
Ingestibles
BAs
ACOs
Research
![Page 12: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/12.jpg)
Polling Question
Do you have a dedicated security position, CISO, for your org? • Yes • No https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23191
![Page 13: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/13.jpg)
Yet, We Still Suffer From Insufficient Resources • In 2014 HIMSS study HC CISOs gave themselves
an average maturity rating of 4.35 on a scale of 1-7 • Many reported missing critical technologies to fight
today’s threats • More than half of healthcare entities spend less
than 3% of their IT budget on data protection • Less than half have a full time CISO or information
security manager • Many healthcare security managers are first timers
6th Annual HIMSS Security Survey. Feb. 2014.
![Page 14: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/14.jpg)
Professional Skills
![Page 15: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/15.jpg)
Program Vision
Risk Management • Defining an integrated risk
management approach that is right for the business.
Promoting Governance • Understanding the right information
to report to the right body to promote oversight support for the program.
Appropriate Policies • Effectively crafting and
communicating policies that support the business operations and goals.
Creating Structure • Ability to develop implement the right
security framework to address all laws, regulations, standards, etc. that apply to the business.
Creating Accountability • Establishing a culture of privacy and
security that is aligned with the business.
Achieving Compliance • Ensuring that compliance is an
important side benefit of effectively securing the business and its data.
![Page 16: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/16.jpg)
Addressing Risk
Contingency Planning • Effectively lead development of an
actionable disaster recovery and continuity program with business owners.
Handling Incidents • Implement proactive measures to
identify, investigate, document and communicate potential and real breaches.
Being Responsible • Promote and assist in auditing
controls and processes to ensure effectiveness and integrity.
Know Yourself • Ensure appropriate due diligence by
facilitating on-going mitigation of risk through regular and periodic assessment.
Know Your Enemy • Understand what threats concern the
business and monitor proactively for signs or indications of their presence.
Analyze Information • Analyze info from incidents, logs,
assessments, processes, workflows, etc. to identify threats and to inform selection/implementation of controls.
![Page 17: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/17.jpg)
Managing Others Vendor Management • Develop and implement
processes to assess life cycle risks associated with external service providers, consultants and partners.
System Selection • Identify requirements and
establish processes for timely assessment of new technology.
Mergers & Acquisitions • Assess risks to support due
diligence negotiations and educated incorporation of assets.
Setting Expectations • Set service level agreements guide
program outcomes and service expectations for stakeholders.
Resource Planning • Develop, defend and implement
budget and resource planning that solicits key stake holder inputs and priorities.
Security Advocates • Select and foster key individuals
throughout the organization to act as security advocates; use them to provide value to ongoing security initiatives.
![Page 18: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/18.jpg)
Personal Skills
![Page 19: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/19.jpg)
Are Certifications Important?
Knowledge
Basic Learning • Certain certifications represent a starting point in determining
some formal knowledge of security principles and practices.
Credibility
Value
Experience
Advanced Learning
• Other certifications demonstrate specialization in a particular security discipline or focus and depth of knowledge.
The Right Certification • When selecting an ISO certifications that demonstrate more
practical knowledge of managing security like the CISM are more valuable, as are other certifications that show a broader experience (e.g. PMP, CHP or CISA).
Most Important •There is no replacement for experience which is far more important than certifications. Certifications say “they should know how to do it”, experience says “they have done it”.
![Page 20: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/20.jpg)
Polling Question
Where or to whom does your CISO report? A. CEO/COO D. General Counsel B. CFO E. Compliance C. CIO https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23192
![Page 21: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/21.jpg)
Find People Who Can Create Success
Information
People like to know what is happening and why. Provide updates often, synthesize essential points and deliver in concise messages.
Alignment
Appropriateness
Service
Look at security from the customers point of view, if you are perceived as understanding their plight/goals they are more apt to listen.
Apply security realistically, keep it simple when possible, so when hard decisions are necessary they’ll be more supportive.
Remember the business does not exist for security, security exists because of the business. Your job is to serve, to enable.
![Page 22: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/22.jpg)
Building A Supportive Ecosystem
![Page 23: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/23.jpg)
Many Different Models
CISOs have been found in many different organizations within Healthcare entities. The majority are found in Information Technology, followed by Compliance, Finance, Legal, and occasionally a few others.
Information Technology
Compliance
Finance
Legal
Other
![Page 24: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/24.jpg)
Does Placement Matter?
CISO=CIO
CISO is CIO
CISO reports to CIO
CISO layers below CIO
![Page 25: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/25.jpg)
In Healthcare 90% Report to CIO
• Pros: – Access to executive
leadership – “C” level skills & org
awareness – Easier to make IT
change to promote security
– Increases influence for CIO
• Cons: – IS oversight is limited – May detract CIO
attention from other priorities
– Conflicts of interest – Loss of full
organizational access
![Page 26: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/26.jpg)
Polling Question
Do you feel security has enough visibility in the org? • Yes • No https://gameday.doubledutch.me/?sessionToken=e8d271f1-3eb4-4f4b-95b5-359c9ef1c209&mod=polls&pollId=23193
![Page 27: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/27.jpg)
It’s As Much About Who As It Is Where
• Short answer: CISOs have been equally successful and unsuccessful in nearly all organizational structures.
• The keys to success or failure include ability of the person, level of visibility and real support for the program, the position and the person.
• The executive team should be regularly briefed by the CISO.
“When the board took an interest in the program, things changed, resources started coming.”
![Page 28: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/28.jpg)
Program Management Leadership • The CISO needs to be able to
create vision, influence others and motivate the organization to follow.
Relationship Building • Effectively create alliances by
assisting others. Giving support is how you get support.
Articulating Threat • Effectively explaining risk to the
business, not just to systems and data, is critical to being relevant and heard.
Healthcare Acumen •Hospital Executives expect CISOs to be able to relate security requirements to the mission of providing safety and care.
Planning Ahead •Planning enables communication of priorities, budget defense, identifying objectives and measurement.
Human Nature •Understanding human behavior is critical to understanding the most volatile element in security…people.
![Page 29: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/29.jpg)
Building Collaboration
Effective Relationships • Proactively working security
issues with key stake holders: Compliance, Legal, Internal Audit, Compliance, etc.
Communicate Status • Establish regular reporting of
performance, business accomplishments and maturity of program.
Representation • Establish relationships with external
agencies, law enforcement and others than can provide valuable threat information and support.
Collegiality • Demonstrate the presence and
maturity to work effectively on teams, committees, boards, etc. to secure support for security.
![Page 30: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/30.jpg)
Other Factors Know the Limits •The organization (and the CISO) need to know what tools are better managed internally vs. externally.
How To Say ‘Yes” •It is important for the security team to help find a way to say ‘yes’ but not be afraid to say ‘no.’
Establish Security Council •The council can help prioritize initiatives and champion changes.
Predictability • Build predictable processes to deal
with unpredictable circumstances.
Impact • Know and understand the impact of
implementing security tools has on the customer and more importantly, the patient.
Patient Safety • Poor information security can put the
patient at risk.
![Page 31: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/31.jpg)
Recruiting For Success
![Page 32: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/32.jpg)
Healthcare Needs CISOs That…
• Are leaders • Possess business acumen • Are comfortable managing risk • Embrace enablement • Think strategically, act tactically • Are effective communicators • Are able to drive process • Understand and apply
psychology/sociology • Are politically savvy • Know privacy & security • Possess endless curiosity
![Page 33: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/33.jpg)
Multiple Benefits Acrue From Having a Qualified Dedicated CISO
• Savings • Satisfaction • Quality & Safety • Reliability • Prevention • Education
Greater Confidence,
Trust & Patient Safety
Qualified CISO
![Page 34: Selecting The Right CISO - Amazon S3s3.amazonaws.com/rdcms-himss/files/production/public/2015Conference/handouts/31.pdfAssess current operational and threat environment factors that](https://reader034.vdocument.in/reader034/viewer/2022042304/5ecfcf2f0f21d04471665c8f/html5/thumbnails/34.jpg)
Questions • Mac McMillan • [email protected] • 512.402.8555 • @mmcmillan07
• Heather Roszkowski • [email protected] • 802.847.8100