1
Top Traits of Effective Healthcare CISOsChief Information Security Officers
and Their Staff
Session 153, February 22, 2017
Stephen Cobb, CISSP, MSc. – Senior Security Researcher, ESET
2
Speaker Introduction
Stephen Cobb, CISSP, MSc.
Senior Security Researcher
ESET North America
3
Conflict of Interest
Stephen Cobb, CISSP, MSc.
Has no real or apparent conflicts of interest to report.
4
Agenda
• The challenge: staffing for cybersecurity in healthcare
• Navigating the cybersecurity skills gap and efforts to close it
• Cybersecurity work and the CISO role: assumptions, and realities
• CISOs in healthcare: good news and not so good
• Recruitment and retention: what we are learning
• Helping Human Resources help you
• External resources you might find helpful
• Top trait takeaways
5
Learning Objectives
• Develop a deeper understanding of what it takes to successfully staff the
roles and responsibilities involved in defending healthcare information systems
• Navigate the current research into effective cybersecurity staffing
• Analyze public and private initiatives that are working to close the
cybersecurity skills gap
• Improve recruitment and retention efforts by applying from research into
cybersecurity roles
• Learn how to advise Human Resources on cost-effective security
recruitment strategies
6
Benefits Realized for the Value of Health IT• Unbudgeted costs can be avoided by better
security breach prevention and response through better cybersecurity staffing
• Efficient and effective cybersecurity staffing decisions reduce HR costs and improve ROI on human capital
• IT initiatives in patient engagement and population management can proceed more confidently when cybersecurity implications are addressed by effective healthcare CISOs
7
A quick word about sources
• The (ISC)2 Global Information Security Workforce Survey = GISWS
• The CISO Survey – Cobb, S.
• Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap – Cobb, S.
• Examination of personality characteristics among cybersecurity and information technology professionals – Freed, S.
• Healthcare CISO Project - Ongoing
8
The challenge: staffing for cybersecurity in healthcare
The security aspect of
cyber is very, very tough,
and maybe, it’s hardly doable. US Presidential Candidate
Donald Trump - 9/26/16
• Cybersecurity is hard, and getting harder
• The supply of skilled cybersecurity
professionals has not kept pace
• Cybersecurity in healthcare is even harder
• Staffing for cybersecurity in healthcare is a
serious challenge, but there are some
strategies that can help
9
Q1. Filling cybersecurity roles in my organization is:
1. Very difficult
2. Moderately difficult
3. Moderately easy
4. Very easy
10
11
Why is cybersecurity in healthcare so hard?
• Cybersecurity means sharing some data with some people but not others
• Healthcare requires a lot of data sharing with a lot of different people
• Healthcare data has a high market value to “others”
• It exists on, and flows between, more different devices, located in more
dispersed settings, for more diverse needs, than any other sector
• Meaning more attack vectors, from more threat actors
“There’s a very different risk calculus in healthcare.”
– CISO who came to healthcare from defense
#1 trait
Broad understanding of the security field
12
Healthcare CISOs may need more of everything
12 factors for success
as an information
security professional
rated and ranked:
the healthcare sector
versus all sectors
Source: Secondary analysis
of (ISC)2 Global Information
Security Workforce Survey
data tables by the author
13
The cybersecurity skills gap and efforts to close it
• Globally: 1 million more people with cybersecurity skills are needed (F&S)
• US: >200,000 open jobs (Cobb)
• President’s Commission on Enhancing National Cybersecurity: need to train 100,000 as a matter of urgency
• 82% of organizations say there’s a
serious shortage of cybersecurity skills
• 71% cite shortage as responsible for
direct and measurable damage to their
organization “including the loss of
proprietary data and IP” (Intel/CSIS)
14
15
The skills gap will hurt healthcare
• Assume that 4 out 5 of organizations
are finding it hard to hire
• And the demands of the job in
healthcare are above average
• And some healthcare job locations
are not universally appealing
• The experience of “direct and
measurable damage” due to
cybersecurity under-hiring in
healthcare could exceed 71%
We find hiring for
cybersecurity
positions to be:
Cobb, S. (2016) “Getting to know CISOs: Challenging
assumptions about closing the cybersecurity skills gap”
University of Leicester MSC dissertation
16
The cybersecurity skills gap and efforts to close it
• NICE: National Initiative on Cybersecurity Education
– Cybersecurity Workforce Framework
– NIST SP: 800-181
– Applicable across sectors
– CyberSeek.org
• Sector specific:
– Smart Grid Cybersecurity:
Job Performance Model Report
– PNNL 21639
• Inspire students and job seekers to pursue cybersecurity as a career
• Tap minorities, veterans, diversity
• Multiple organizations involved: (ISC)2
CompTIA, Life Journey, Cyber Centers of Excellence, Cyber Patriot, Cyber Cup, Cyber Maryland, Cyber California
#2 trait
An open mind
17
18
• CyberSeek.org
• Uses standardized
taxonomy of KSAs
• Career pathway
• Interactive map
19
CISOs in general: assumptions*
• Cyber security requires:
– At least a computer science degree
– Preferably an information security degree
– Technical skills
• CISOs are the upper end of the cybersecurity profession, so they
must need all of those plus management skills
*Literature review, Cobb
20
CISOs in general: realities• To achieve success CISOs say they need soft skills – like communication
and a broad understanding of security and business (GISWS and Cobb)
• CISOs rank these higher as success factors than technical skills or domain-specific security knowledge (GISWS and Cobb)
• The value placed on soft skills increases as time in the profession and/or responsibility for cybersecurity increases (GISWS and Cobb)
• For CISOs, having a degree (of any kind) is valued lower than attributes such as analytical thinking, communication, broad understanding of threats, technical knowledge, professional certification (Cobb)
21
CISOs in healthcare: the not so good news
• Less likely to have information security certifications
• Less likely to say they have enough staff
• Less likely to think their employer’s cybersecurity training and
professional development is adequate
• More likely to have to pay for training themselves
Significant sector specific concerns:
Higher than average focus on compliance,
knowledge of regulatory policies, and BYOD
#3 trait
Conscientious
22
Q2. Does your healthcare organization have enough cybersecurity staff?
1. Yes
2. No
3. It’s hard to say
4. I don’t work for a healthcare organization
23
24
CISOs in healthcare: some good news
• More likely to report to C-suite
• More of their employees likely to be satisfied with their job
• More of their employees open to pursuing cybersecurity certification
Sector specific potential:
High levels of job satisfaction, willingness to
learn, and management support are all helpful
in attracting cybersecurity candidates
25
Healthcare CISO insights
Typically, IT security is the same from one
industry to another, but that’s not true for
healthcare. Takes time to get up to speed.
Healthcare security tends
to be behind the curve, a
hard shell but soft center.
Too many big, flat open
networks. And I still hear:
“why would anyone want
to attack us?”
Too many layers
of bureaucracy.
26
Healthcare CISO insights
To do cybersecurity in healthcare
you need a thorough understanding
of the rules and regulations, and
there are a lot of them. I’d say it’s
definitely more complex than
Sarbanes–Oxley and PCI DSS.
In healthcare there’s a lot of legacy
equipment, so you need a basic
understanding of everything IT,
which takes years to accumulate.
There’s a very
different risk
calculus.
27
Healthcare cybersecurity recruitment and retention:
• Attracting new talent
– Show commitment to security
– Show commitment to ongoing
education, both hard and soft skills
– Use standard terms for KSAs
– Avoid laundry list job descriptions
– Craft “requirements” with care
– Help HR to help you
• Working with internal talent
– Identify the talent, those with
cybersecurity aptitude and interest
– Nurture with mentoring, training,
conferences, recognition
• If your location lacks cyber-appeal then
“growing your own” may be your best
strategy and most cost effective
#4 trait
Imagination
28
Healthcare IT security recruiting:Personality and potential
• When healthcare CISOs look to close the skills gap by
fostering internal talent, it helps to look at personality
• Industrial psychology and personality psychology have been
applied in many different industries to better understand who
is a “good fit” for particular workplace roles
• Healthcare IT security has so far escaped serious scrutiny
but there are some indicators of promising personality traits
29
CISO personality insights
Testing with IPIP NEO, Freed found that IT cybersecurity workers scored higher
on Openness and Conscientiousness, lower on Neuroticism, than regular IT
folks. Cobb found this difference was even greater in CISOs. (Sector-specific
studies have not yet reached statistical significance.)
#5 trait
Strong nerves
30
Helping Human Resources to help you
Attributes Mean Rank
Communication skills 4.43 1
Broad understanding of the security field 4.42 2
Awareness and understanding of the latest security threats 4.38 3
Technical knowledge 4.32 4
Knowledge of relevant regulatory policy 3.93 5
Security policy formulation and application 3.91 6
Leadership skills 3.89 7
Possession of an information security certification 3.76 8
Project management skills 3.65 9
Business management skills 3.54 10
Legal knowledge 3.29 11
Possession of an information security degree 3.09 12
• Take time to explain the nature of
cybersecurity work
• Have input on job listings, push for
broader parameters if appropriate
• Offer to help with resumé screening
and initial candidate evaluation
• Be clear what you are looking forward
and how to recognize it
#6 trait
Communication skills
31
Helpful resources
• Network nationally and locally
– HIMSS, AEHIS.org
– NH-ISAC, Infragard
– ISSA and certification orgs
– Local CISO roundtables
• Do CISOs in healthcare network and share
less than those in other sectors?
• This may be understandable, but it is
probably not healthy
#7 trait
Humility
Effective CISO Survey:
The vital ingredient of effective
CISOs most frequently cited
when people offered “other”
qualities besides those listed in
the survey instrument: humility.
32
Top traits and further research
1. Broad in understanding
2. With an open mind
3. Conscientious
4. Strong nerves
5. Strong imagination and
6. Good communication skills
7. Plus humility
In terms of personality psychology:
• Cybersecurity folks are measurably
different from other IT workers
• CISOs are more different
• These differences warrant further
research by sector, because healthcare
CISOs might be even more different
• If they are different, it would be really
helpful to know that, and in what ways
33
Q3. Is America is currently experiencing a cyber crime wave?
1. No
2. Yes
34
35
Benefits Realized for the Value of Health IT• Unbudgeted costs can be avoided by better
security breach prevention and response through better cybersecurity staffing
• Efficient and effective cybersecurity staffing decisions reduce HR costs and improve ROI on human capital
• IT initiatives in patient engagement and population management can proceed more confidently when cybersecurity implications are addressed by effective healthcare CISOs
36
Questions
• www.ESET.com
• www.WeLiveSecurity.com
• www.zcobb.com
• Twitter: @zcobb
• Please complete the online
session evaluation