Category: #CISO CORNER

Posted on

Healthcare CISOs: Manage infosec risks and safeguard patient safety

Prominent CISOs from leading health systems and providers throughout the country have come together to establish the Provider Third Party Risk Management Council to develop, recommend and promote a series of practices to manage their information security-related risks in their supply chain and to safeguard patient safety and information.

Members of the Council observed their supply chains are filled with third parties who support the care delivery process and require access to patient information. Properly vetting and monitoring these third parties is a major challenge, and in some cases, insurmountable for many organizations who simply don’t have the expertise or resources. Through innovation and industry leadership, the council are developing common vetting and oversight practices that will benefit health systems, hospitals and other providers in the United States and around the world.

“Health systems and other providers need to be more active in assessing and monitoring risks posed by third parties to protect patient information while delivering effective care,” says Taylor Lehmann, CISO of Wellforce, parent organization of a health system that includes Tufts Medical Center and Floating Hospital for Children. “The primary challenge is organizations can engage with vendors of various sizes, maturity and complexity without really knowing whether the vendor should be engaged in the first place based on their beliefs and investment in cybersecurity.”

Lehmann says third parties may have a small number of customers or possibly hundreds or thousands to serve. For third parties, this challenge has resulted in lost time and resources in attempting to comply with each organization’s risk management requirements and ensure efficiency for both parties.

The council is working with the HITRUST CSF and its assurance programs for this initiative to better manage risk. The organizations on the council have each independently decided to require their third-party vendors to become HITRUST CSF Certified within the next 24 months. The HITRUST CSF Certification will serve as their standard for third parties providing services that require access to patient or sensitive information and will be accepted by all the council’s organizations.

Goal of the Provider Third-Party Risk Management Council

The Provider Third Party Risk Management Council recognizes that a more efficient approach to third-party assurance is necessary and strives to improve how the industry approaches assessing, monitoring, and responding to risks posed by third parties. By choosing to adopt a single assessment and certification program, healthcare organizations represented by the council are prioritizing the safety, care, and privacy of their patients by providing clarity and adopting best practices that their vendors can also adopt, while providing vendors the expectation of what it takes to do business with their organizations.

“We believe the healthcare industry as a whole, our organizations and our third parties will benefit from a common set of information security requirements with a standardized assessment and reporting process,” says John Houston, Vice President, Privacy and Information Security & Associate Counsel, UPMC. “We are strongly encouraging other provider organizations to follow suit and adopt these principles.”

The founding member organizations for the Provider Third Party Risk Management Council include:

  • Allegheny Health Network
  • Cleveland Clinic
  • University of Rochester Medical Center
  • UPMC
  • Vanderbilt University Medical Center
  • Wellforce/Tufts University.

Help Net Security

Source: https://www.helpnetsecurity.com/2018/08/30/provider-third-party-risk-management-council/

Posted on

Calling All CISOs: Speak the Language of Business

As a business executive or board member, how do you feel when you are talking to your organization’s CISO? Do you feel like you are on the same page, speaking the same language? Or do you feel overwhelmed by jargon and techno-babble that requires an interpreter?

If your answer is the latter, it’s not your fault. You shouldn’t have to know all of the jargon or speak in the language of a technologist. Rather, your CISO should be speaking the language of business in a way that is easy to understand, relatable to your needs and focused on the bottom line.

That’s the advice of Diane E. McCracken, and she should know. McCracken is a widely known and well respected chief security officer at a midsized bank located in the northeastern United States and, as she says, a technologist at heart. But although tech talk is her native language, speaking it in the boardroom is a definite no-no.

“In today’s environment, cybersecurity professionals need to learn a new language,” she says. “The language of money. That’s when board members and executive management pay attention. They need to know what the investment is really buying and whether it will protect the organization.”

McCracken offers advice to her colleagues and peers as a speaker at various conferences and, recently, as an author in the upcoming book Navigating the Digital Age, Second Edition, published by Palo Alto Networks. She also provides guidance for business leaders on what to expect and demand from their CISOs.

For CISOs the main advice is to learn the language of business. Use numbers, speak in specifics about risk, anticipate questions and use your imagination. In one particular case, she used an allusion to the pop icon Taylor Swift to make a point about cloud computing. But, If Taylor Swift doesn’t work, there are always two areas that will resonate: One is risk and its consequences; the other is business enablement.

Advice for Executive Management and Board Members

Just because the onus is on the CISO to speak in your language, that doesn’t let you off the hook as a business leader, says McCracken. You too have to be vigilant. You have to establish a regular cadence that includes the topic of cybersecurity in board meetings. You have to insist that the security teams present information in language and formats that are clear, simple to understand, relatable and focused specifically on the value to the business. Most of all, you have to support your cybersecurity leaders.

“They are fighting a nameless, faceless adversary on your behalf,” McCracken says. “They have to be right thousands of times a day; the bad guys have to be right just once. In order to be successful in the cyber world, both parties much be in sync, and only through these conversations will that be possible.”

The Language of Business Enablement

One of the more important challenges for CISOs is embracing the concept of cybersecurity as a business enabler—and then articulating that value so it captures the attention of business decision-makers. McCracken offers one example where the solution was to show the board the money.

In her organization, the tech teams had a desire to bring software development in-house as a means to improve quality assurance and accelerate speed to market. From McCracken’s perspective, the key was to ensure that security was factored in at every stage of the development cycle. To convince the board, she created a flow chart that showed the cost of remediation early, midway and at the end of the development cycle. The numbers told the story for her and the board fully funded the program.

“In a case such as this, it is clear that the role of the CISO is as a business enabler,” she says. “It’s not our job to say ‘No.’ Our job is to advise on the risk and put the controls in place to appropriately limit that risk. When the business needs board sign-off, I must be able to address the risk in language the board members understand. With business leaders and the board, money is the universal language.”

Source: https://www.securityroundtable.org/calling-all-cisos-speak-the-language-of-business/

Posted on

Cybersecurity And The New CISO: The Leadership Enigma

As chief cybersecurity advisor, I regularly receive requests from recruiters working in the field. Acknowledging the economic forces at play, I appreciate that global demand for cyber professionals exceeds supply. Add to this the increasing rate of organizational breaches and explosion in technology and online services, and it is easy to see why demand has spiked.

All of these factors have no doubt fueled a boom in the cybersecurity industry, bringing with it the problem of questionable leadership. There are those who aspire to be cyber professionals, who may even have an IT background but do not have the necessary knowledge, experience, training and time at the coal face in cyber roles. Put simply, they lack good pedigree. The next time someone wants to talk to you about “risk,” ask them if they have ever conducted a threat risk assessment or managed incident response. More than likely, the answer is no.

How do we get the right cyber leadership?

Let’s first consider this through recruitment of a key cyber role — the CISO (chief information security officer).

Recruitment needs to start with well-constructed job descriptions and criteria. CISOs need to be able to develop and set strategic direction for cyber risk and information security. Their areas of responsibility should include:

1. Risk management/risk culture.

2. Documentation standards.

3. Relationships and communication — in particular, with senior management and industry.

4. Incident response and business continuity.

5. Third party management.

6. Compliance activities.

7. Technical capability and delivery.

A must-have requirement is the ability to maintain a current understanding of the cyber threat environment for their industry and related laws and regulations and the ability to translate that knowledge to identify risk and develop actionable plans to protect the business.

Similar challenges exist for project manager (PM) roles. A good PM can make a significant difference to the timely delivery of a cybersecurity, project ensuring it is within budget and delivers the intended outcome.

Along with project management ability, the PM needs acumen in IT and cybersecurity. This should be mandatory. Many PM job descriptions now explicitly specify such things as:

• Technical knowledge of ICT infrastructure (software and hardware) and experience with toolsets used by ICT organizations in the security, management and delivery of their services.

• Extensive understanding of ICT concepts and the system development life cycle management methodologies, including experience with agile application development teams.

Developing job criteria can be a challenge, but there are now a number of recognized national standards to help.

The Institute of Information Security Professionals Skills Framework (IISP) was developed in collaboration with public, private, academia and industry security leaders. The framework uses a consistent language in describing the range of competencies expected of information security and information assurance professionals in the effective performance of their roles.

The National Cybersecurity Workforce Framework is part of the National Initiative for Cybersecurity Education (NICE), and NIST Special Publication 800-181 framework categorizes and describes cybersecurity work through the use of several components, using a common language.

Another tip in recruiting is the interview panel. It must include members who understand the specialized field within which they are interviewing and filtering candidates.

What makes an effective CISO?

To be effective, a CISO needs to have both a blend of technical knowledge, business acumen and cybersecurity skills, and an appropriate position within the organization that allows them to deliver on their mandate.

The CISO needs to be able to execute on all fronts of cybersecurity practice, through using their business and security acumen. They also need to incorporate prudent risk management through building and delivering on a risk-based portfolio strategy (including prevention, response, mitigation, insurance and measurement) or business-driven security. This means looking at the organization’s portfolio of risk and determining how cybersecurity plays into each risk.

While I am a big fan of qualifications and certifications, I also believe that informal qualifications are just as important — as long as they are relevant. The qualifications that go into a well-rounded CISO are a blend. Many organizations now require some baseline degree in a relevant discipline along with a range of hard and soft skills. Hard skills can include security concepts (authentication/authorization, operating systems, DNS routing), risk assessment methodologies, network architecture and compliance standards (such as PCI, NIST, GDPR), to name a few. Soft skills such as communications, interpersonal/negotiation skills and strategic planning are now hugely favored.

To effectively influence change and set direction in support of real business objectives, the CISO should be elevated to the equivalent of the CIO. Conflicts of interest aside, I have seen many times when the CISO role falls under the CIO, and their focus is diverted toward plugging security gaps and never actually leading and planning for the future. Moving from problem to problem is an indicator that the organization does not have a mature risk management culture.

The New CISO

The new CISO must know how to quantify risk and understand business as well as cybersecurity technologies. They should have a passion for technology and security. They need to be a champion, educating the organization about the latest security strategies, technologies and methods.

They are no longer just the keeper of secrets or guardian at the gate. They are integrated into the business and taking a risk-based detective/hunter-style approach.

As the CISO role evolves from exposure mitigation to incorporating broader business risk management, the cybersecurity apparatus must also change as well. This means that certain traditional security tasks should move into operational IT areas. Risk management/risk culture through data capture and analytics should become the core functional capabilities.

This will mean having to retool/rekit your organization’s skill set to support more analytical thinking and promote a greater awareness of operational risk management.

The mission today is beyond just exposure and encapsulates everything from protecting brand and reputation, revenues or market share to enhancing shareholder value. This is how you evolve from a compliance-driven model to an intelligence-driven, agile model.

Leonard Kleinman, Chief Cyber Security Advisor, spokesperson and cybersecurity “best practice evangelist” with a focus on cyber threats to IT systems.

Source: https://www.forbes.com/sites/forbestechcouncil/2018/07/26/cybersecurity-and-the-new-ciso-the-leadership-enigma

Posted on

What CISOs Can Do Today

In part three of our series, we laid out the five top priorities for CISOs as they shift their focus to the executive aspects of their roles and build out their teams. In this final part of our series, I join my colleagues Aileen Alexander from Korn Ferry and Paul Calatayud from Palo Alto Networks to look at those priorities in greater depth. Specifically, we focus on what CISOs can do today to empower their organizations.

No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness

  • Be creative. Think differently about the teams you have today, how their skills match to the latest trends and train them as needed.
  • Work with HR to develop university outreach programs that focus on acquiring young talent early into the organization.
  • Focus on making it easier to consume security technology. If you can make it easier for others to approach your team and understand what your team does, then you have a higher likelihood of attracting a different type of talent that can bring a unique set of skills to your team.

No. 2: Incorporating regional laws and regulations into cyber strategy

  • Familiarize yourself with the impact of these regulations. Bring in a third-party expert to explain the intricacies and considerations.
  • Consider introducing the role of a business information security officer (or BISO) in certain key regions.  While they may not be focused on cybersecurity, they should focus on the risks, regulatory impact and privacy laws in their respective countries.
  • Align closely with legal and policy teams to advise on the impact of these laws on your organization.

No. 3: Embracing the DevOps philosophy

  • Forge strong relationships with these teams and become more involved in their development processes.
  • In meetings and conversations, focus on risk guidance and why security is important to every application deployment.
  • Define and share security requirements in a way that they become a natural part of the development process.

No. 4: Tackling IoT security (corporate and personal)

  • Get involved in the process of IoT purchases at your company.
  • Expand cybersecurity awareness training to include education about personal IoT devices and the far-reaching impact these devices can have on the organization.
  • Advise employees on how to adjust device and app settings, such as location and data access, to protect employees and the company.

No. 5: Aligning with product and physical security

  • Proactively get involved and forge relationships with product and physical security teams.
  • Highlight the unique security risks and considerations for new products during early development stages.
  • Develop steering councils or security review committees with the teams responsible for product or physical security.

Conclusion

This is a very challenging time to be in cybersecurity. At the same time, it can be very exciting. The threat environment is becoming more sophisticated and the impact of cybercrime and data breaches is becoming more high profile and potentially disruptive. It is not unfair to say that the future of the organizations often rests in the hands of our CISOs and their teams.

As we’ve seen in this four-part series The Evolution of the Chief Information Security Officer, the increased profile, visibility and accountability of the CISO is causing significant changes in who will succeed in these positions and how they will operate. Being the most technically astute individual in the organization is not a bad thing, but it’s not the only attribute that will define a successful CISO, now and in the future.

Instead, CISOs will need to fit comfortably in the executive suite, speak the language of business and recognize that one of the most important roles they have to play is as a change agent. As we said at the outset, cybersecurity has expanded well beyond the confines of IT and is now a concern at the highest enterprise level. That reality will continue to determine how the role of the CISO continues to evolve in the future.

Editor’s note: thank you for reading part IV of our Korn Ferry CISO series. To catch up, you can view all of the articles in the series here.

Source: https://www.securityroundtable.org/what-cisos-can-do-today/

Posted on

Top 5 Priorities of the CISO of Tomorrow

As the role of the CISO continues to evolve, areas that were once the personal responsibility of the CISO will shift to other members of their team.

What does that mean for the CISOs of tomorrow? How will how they shift their focus to the “executive” aspects of their roles and build out their teams? How will they prioritize their roles and responsibilities? How will they interact with and communicate to the rest of the organization, whether it is the board, the C-suite, their own teams or the rank and file?

Working with my colleague Jamey Cummings at Korn Ferry and Paul Calatayud from Palo Alto Networks, we have identified the top five things CISOs will need to prioritize as they shift their focus to a role of business enablement, higher visibility, and greater accountability. They are:

No. 1: Addressing the cybersecurity skills gap and increasing cyber awareness.

This is a current challenge that is only growing. Addressing these needs sets the foundation for everything else the CISO must do in the coming years. Since the cybersecuritylandscape is constantly changing, in addition to attracting new talent to the industry, continuous training and skills development for existing teams are essential. As different business units move data and services to the cloud, the CISO must develop programs and personnel to train the entire organization on proper cyber hygiene and cybersecurity awareness.

No. 2: Incorporating regional laws and regulations into cyber strategy

For multinational companies, larger strategic regional teams will be needed to address the complexity of data and privacy laws. GDPR, for example, is a regulation that is global in nature because of the number of companies around the world it impacts. When thinking about regulations like this, the question for companies becomes: how do you create capabilities that address something like GDPR in the context of European stakeholders while still considering Canadian or U.S .privacy laws?

No. 3: Embracing the DevOps philosophy

DevOps is a movement to reduce the technical inefficiencies between IT, developers and security teams. It is about automating the deployment, maintenance and security tasks that these teams have traditionally done manually and separately. What DevOps means for CISOs and security teams is that cybersecurity is starting to be prioritized at the outset of any IT-related project. CISOs who embrace the DevOps concept and prioritize DevOps roles on their teams will be better aligned to the rest of the organization in the coming years.

No. 4: Tackling IoT Security (Corporate and Personal)

According to Gartner Research, the projected number of connected devices is expected to reach 20 billion by 2020. With this comes more security risks. CISOs will need to start thinking about how to not only protect the IoT devices that are corporate property, but also the personal devices that are coming in and out of their networks. Oftentimes, IoT devices connect to company laptops or mobile phones that have legitimate access to the corporate network. It’s reasonable to assume that, if a personal IoT device is compromised, the corporate network might be vulnerable as well. Progressive CISOs will need to think about how to guard against threats posed by personal devices and figure out which members of their team are best-suited to manage that.

No. 5: Aligning with Product and Physical Security

While product and physical security teams might not fall under the CISO’s umbrella today, they will become increasingly intertwined as cybercriminals become more creative. CISOs should be thinking about how they will better align with the groups responsible for these disciplines to make sure that cybersecurity is consistent across all areas of the business.

Conclusion

Cyber risk touches every area of a modern business and the importance of the CISO and InfoSec Team is growing. Regardless of how these roles evolve in one organization versus another, CISOs will always have to go back to the same basic question: what do we need to prioritize to help keep our particular business secure and thriving? To learn more about what CISOs can do today to keep their businesses secure and thriving, see part four of our series: What CISOs Can Do Today, coming next week.

View the full report that outlines what’s ahead for CISO leaders.

Source: https://www.securityroundtable.org/top-5-priorities-of-the-ciso-of-tomorrow/

English
English
Exit mobile version