The Lone Wolf
Some months ago I responded to a question in the ISACA forum posed by a person who described himself as a lone wolf security professional. In being alone, he was involved in all information security tasks, in every phase of the Deming circle—Plan, Do, Check and Act. The question asked if it was possible and ethical to check his own policy, plan and progress; this is a very good question, and a dilemma that is known by many information security professionals.
In 2010, the Dutch government forced all hospitals to implement information security. This resulted in the creation of my own job as information security officer in one of the larger hospitals in the south of The Netherlands. It was a huge challenge; I had a willing management, but very limited resources, and I was the only information security professional in the organization. In other words, I was a lone wolf. And I had, like the person on the forum, to check my own work. Not because nobody was willing to check my work, but the knowledge was simply not there. Like the person on the forum, I felt very uncomfortable with that situation.
The Lone Wolf Seeks a Pack; the Expert Group
I was lucky; I had a full-time position, although my duties were many. Many colleagues in other hospitals had part-time positions. Thus, a common pool of knowledge did not exist. That is why I started my CISM training, became an ISACA member and contacted security colleagues from the other Dutch hospitals. Not surprisingly, everybody found themselves in the same situation as I did: limited resources and a deadly deadline set by the government. We decided to meet up. The first meeting with my fellow hospital information security colleagues numbered about 40 persons. A meeting room was kindly sponsored by the Dutch Hospital Association (NVZ). And so the expert group was born, and the lone wolf found himself a pack.
First, cooperation was limited to dividing work. Two of us looked into behavior training and a code of conduct, others wrote a security policy fit for hospitals, the third pair worked out a risk method, others took ICT security as their focus, etc. A digital forum was established to facilitate the cooperation of the group and the exchange of work.
After 2 meetings we started to discuss the inevitable experience in various hospitals with serious security incidents. But we needed a base of trust for discussing these sensitive topics. We agreed as a group to use the Chatham House Rule for discussions, supported by a signed agreement to do so. We learned from each other, and I dare say that 1 meeting with this expert group would have taken me at least 4 weeks to accomplish had I done the work myself. By the end of 2010 all participants to the expert group successfully passed the obligatory external audit.
The expert group decided to continue. The improvements to information security were made, but there were many other issues. One was how to continue with auditing. We agreed that the external audit process for hospitals was poor. The auditors had mostly no clinical experience, the audits were expensive, and audit approach used was so diverse that the results between hospitals had no base for comparison.
Together with a colleague I proposed to organize audits between hospitals that were to be carried out by members of our expert group. Within 2 years’ time we trained over 60 persons as CISA auditors, and within 1 year the first audits took place. A team of 2 auditors from different hospitals audited a third hospital. Thus we solved several problems at once. We no longer had to check our own work, and we got relevant feedback against low costs.
This system is currently still working, and about 70% of the Dutch hospitals are participating. I decided some years ago to leave the hospital and start my own company. Currently, I help health care organizations with information security. Building expert groups is still part of my strategy.
Gilbert van Zeijl, MSc, CISA, CISM, Clinical Informatician
[ISACA Now Blog]