Healthcare Cybersecurity Posture
Just a few years ago, the thought of a Chief Information Security Officer (CISO) having an audience with the board sounded more like a dream come true than reality. Indeed, cybersecurity was not a top priority for most management teams, until the true damage of security breaches started being revealed. Threats such as Spectra made management teams put more focus on healthcare cybersecurity in order to prevent themselves from becoming vulnerable to threats that can cause millions of dollars in damages.
Nowadays, CISOs are having an opportunity to make presentations to the board, whether annually, bi-annually, or quarterly. These presentations are an excellent opportunity for CISOs to advance their agenda within the organization and to strengthen their overall efforts. However, for such a presentation to be successful, CISOs need to be adequately prepared. Many people tend to struggle with the structure of how such a presentation should be conducted and what information should be included.
According to Sean Murphy, CISO of Premera Blue Cross (a health insurer with the Blue Cross Association), “Cybersecurity is now a board level issue.” The concerns for cybersecurity are widespread, and CISOs need to be prepared prior to a board meeting. He shared some best practices reporting tips.
What CISOs need to know before the meeting
Given an opportunity to present in front of the board, there are important preparation tips every CISO should know. In most cases, time is limited, and the CISO should present actionable information to the board in order to be successful. Talk about “how the security posture of the organization looks,” says Murphy.
Healthcare cybersecurity information tends to be quite technical in nature, involving the tracking of operational metrics, patch management levels, and the multiple administration accounts of the organization. It is generally a good idea to resist the urge to do a highly technical dive during a presentation.
Prepare all tactical information in advance
According to Murphy, the first step for CISOs is to prepare all the lagging indicators and tactical information in advance for the board members to go through. In this way, they don’t have to spend time going over the same information again during the meeting.
CISOs should be prepared to maximize on the limited time that is available. Large and overly complicated presentations should be avoided. Instead, the board will better digest more targeted and currently relevant information that directly impacts the healthcare cybersecurity of the organization. All the technical details such as percentages, costs, and other in-depth content are better when delivered as meeting read-aheads. This will give the Board an opportunity to review this content and come prepared with that information in mind.
What is a useful strategy for approaching the board?
In addition to sending information to the members in advance to the board meeting, CISOs should also approach the actual meeting with a specific strategy in mind. Murphy recommends the following approach:
1. Start with an overall assessment of the security state of the organization
“Your assessment should start with overall compliance guidelines and it should progress to a maturity score for compliance” says Murphy. CISOs should use standardization bodies such as ISO and HITRUST to come up with a composite score and to see where they stand.
This overall “big picture assessment” gives board members an easily digestible view of where the current cybersecurity state lies. The CISO can drill down from there where there are specific concerns.
2. Use a narrative-based approach
Use a narrative-based approach that resonates with board members and emphasizes the abilities of the security team. As important as percentages, charts, and statistics are, these should be the backdrop of the overall story the Board hears. Murphy maintains the key CISO role at the Board meeting is “to instill confidence in management’s approach and the security program.”
CISOs should be prepared for presentations that extend beyond charts and graphs. A comprehensive, narrative-based approach allows for better use of the limited time CISOs get in front of the board.
3. Discuss current projects on a broad-level basis
In most cases, CISOs are not concerned with the intricate details of on-going projects. As much as a CISO may want to be transparent, the tiny details of every on-going project are not necessarily their top concern.
Murphy shares that CISOs should be prepared to offer a broad-level basis of on-going projects that are relevant in meeting today’s security threats and pivoting toward what we will likely face tomorrow. Board members are largely concerned with how the organization as a whole is being impacted by the current state of cyber security, and all presentations should emphasize the same.
4. Be prepared for questions
One of the most important parts of the meeting will involve questions that the board members may ask. As with any presentation, be prepared to answer questions regarding current events. “Because board members tend to sit on multiple boards, they are caught up with current events and are likely to ask where the organization stands in regards to those events,” says Murphy.
For example, after the recent Spectra and Meltdown vulnerabilities that affected healthcare cyber security, many board members of concerned organizations are now curious to know where they stand with regards to these risks.
Another potentially tricky question board members are likely to ask is “do you have everything you need?” Murphy emphasizes this as a “tricky” question because of two reasons. One, CISOs don’t necessarily want to say that they have everything they need, as this would actually be disingenuous. Secondly, this is not the time to bring up random new projects that you had thought of before first consulting management.
The best approach to use is to consult with management in advance of the board meeting regarding any proposed projects before deciding what will be presented in front of the board.
Helpful Advice for New CISOs
The field of healthcare cybersecurity, and cybersecurity in general, is relatively new. Most CISO positions are being occupied by first time personnel who may have come from different backgrounds. It is, therefore, important for such personnel to get a head start on things as they become acquainted with the organization and begin to prepare board-level presentations.
Murphy advises that, on day one, CISOs should build relationships within their teams and the overall organization. “Security is typically just bolted onto the end of most operations, so it is important for you to get with business leaders and get into their timelines early”, says Murphy. New CISOs should try to have their processes built into business systems to make things easier for the team moving forward.
Because there are multiple dimensions of security (applications security, network security, cloud security, etc.), CISOs should become acquainted with each dimension and how they affect the overall state of their company before their first meeting with the board.
In the spirit of information sharing prevalent at the recent H-ISAC Spring Summit, Sean Murphy agreed to share some of his accrued knowledge during an interview with H-ISAC staff in an effort to be of assistance to other CISOs. He noted the Summits as conducive to good conversations with a good collection of practitioners, thought leaders in healthcare information security. He said of the networking opportunities, “Nothing can compare to sharing war stories; it helps to benchmark how my security team is doing and to get ideas of where we need to go.” To learn more about upcoming H-ISAC Summits, go to https://h-isac.org/events/.