Cyber security breaches point to a bigger problem than inadequate security technology or processes. They point to failed leadership and governance strategies.

Mansur Hasib, Cybersecurity Professional, Author, and Speaker

September 23, 2014

3 Min Read

Mental Health Tools: From Office To Pocket

Mental Health Tools: From Office To Pocket


Mental Health Tools: From Office To Pocket (Click image for larger view and slideshow.)

Recent news that a bot infected a test server for the Healthcare.gov website points to failure of governance. Details of the Target, Community Health Systems, and Home Depot breaches also point to governance failures. On the surface it may appear to be a technical vulnerability. However, the problem is that too many healthcare and other organizations implement cyber security at the end of the development cycle, not at the beginning; they do not bake cyber security into all their business and development processes. They also tend to view the cost of cyber security as an unnecessary evil instead of a vital component of their business strategy. It is a failure of corporate leadership and governance -- not technology.

The telltale sign: This was a test server and was never supposed to be connected to the Internet -- apparently an adequate justification for many people. My question: Why does the test server not have the same security features of the production server that is connected to the Internet? The excuse I typically hear is that developers build these servers at will and do not install all appropriate security patches and features in the interest of expediency. A specialized team of people applies patches, fixes, and system hardening techniques much later. That is a failure of governance and leadership.

There are a few major problems with this patch-later approach:

  1. There is hardly enough time to do an adequate job of security testing of the system and this testing invariably conflicts with the production schedule, so senior executives (non-IT) make many compromises in the interest of launching on the advertised target date.

  2. Once IT applies some fixes, they tend to break some functionality, introduce new bugs, or produce several unexpected results.

  3. There is a high degree of friction between the developer team and the security team, both of which tend to forget they are on the same team.

  4. Training environments become completely unrelated to reality.

Every server must have standards that they adhere to, and anyone configuring a server has to adhere to those standards. This is standard operating procedure. It is imperative that healthcare organizations bake cyber security into the process at the beginning and not at the end. The advantages of this approach include:

  1. Cyber security becomes everyone’s responsibility, not just the "security team’s" job.

  2. The developer team and the security team establish a symbiotic relationship from the start.

  3. The organization establishes an engrained culture of appropriate cyber security and risk management.

  4. Nobody needs to fear even "accidental" connections of test servers to the Internet.

  5. The risk of future functionality problems or the danger of introducing new bugs is reduced.

  6. Training can occur on systems that are more realistic.

  7. Target deadlines for production do not compete with system security.

This is not an issue that can be fixed technically -- and organizations or politicians should not look for answers there. What we need is an organization's senior level business leaders to accept that cyber security is a risk management business process. For that, they must understand cyber security leadership at a business level. Business leaders need to implement a governance framework that makes cyber security a culture within the organization.

Do you need a deeper leadership bench? Send your most promising leaders to our InformationWeek Leadership Summit, Sept. 30 in New York City, for a day of peer learning and strategic speakers.

About the Author(s)

Mansur Hasib

Cybersecurity Professional, Author, and Speaker

Dr. Mansur Hasib is the only cybersecurity professional in the world with 12 years' experience as CIO; a Doctor of Science (DSc) in Cybersecurity; CISSP (cybersecurity); PMP (project management), and CPHIMS (healthcare) certifications, who has written two books on the subjects of cybersecurity and healthcare security and privacy. A global thought leader, Dr. Hasib has led technology and cybersecurity strategy for almost 30 years in healthcare, education, biotechnology, and energy. He is a frequent speaker at local, national, and international conferences in healthcare information technology, and cybersecurity and privacy. For his doctoral dissertation in 2013, Dr. Hasib conducted a national study in US healthcare and examined the relationship between cybersecurity culture and cybersecurity compliance and published the results in a book, Impact of Security Culture on Security Compliance in Healthcare in the United States of America. This work was cited in the references for ISC2's new healthcare security and privacy certification. In March 2014, Dr. Hasib published Cybersecurity Leadership: Powering the Modern Organization . In this work he shared his cybersecurity leadership model and life-long learning, drawing many examples from his practical experiences, research, and observations. His leadership model is applicable in any organization. Follow him on Twitter at @mhasib.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights