Can Healthcare Execs Be Security Experts Too? - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IT Leadership // Team Building & Staffing
09:06 AM
Mansur Hasib
Mansur Hasib
Connect Directly

Can Healthcare Execs Be Security Experts Too?

Trying to teach healthcare professionals security technologies is a risky idea. It's far easier to teach healthcare to security experts.

In the urgent scramble to hire cyber security executives, some organizations appear to favor time spent within a business vertical such as healthcare -- often against the advice of competent counsel. They bypass stronger cyber security professionals who would need to learn the new business environment in favor of candidates who understand the industry but need to learn cyber security. Essentially these organizations try to turn healthcare executives into cyber security executives, a very risky idea indeed.

It will take an organization about a year to figure out it hired the wrong person. During that time more damage and more atrophy will occur. Even a wizard cannot fix years of neglect quickly, so hiring the right person the first time matters greatly.

Having transitioned into a variety of business environments during my career and having observed failed transitions of business executives such as financial, marketing, or human resources officers into IT and cyber security executives, I urgently felt the need to share my thoughts on this. During the recent round of health insurance exchange implementations we could have avoided many of the problems we saw if IT executives -- not healthcare executives -- ran the projects.

[Is a time-honored tradition making us sick? Read Doing Business Without Handshakes.]

First, it takes years and very specialized training to become an IT executive. It takes even more specialized training to become a competent cyber security executive. People cannot become competent cyber security professionals within a few months. However, a competent cyber security executive who spent a lot of time in one industry can adapt to another industry within a short period of time -- usually three to six months -- depending on the size and complexity of the organization. I have done this several times throughout my career.

The key is to hire people who are T-shaped. These individuals have strong domain knowledge in a couple of key areas (the stem of the T) but are interdisciplinary and circumspect in their critical thinking and can adapt and apply their skills across a broad range of industries and situations (the top of the T).

Organizations need to understand that cyber security is a vast field, and a cyber security executive must have a balanced approach to using technology, policy, and people. Although not the only measure, a good metric of cyber security executive skills is the CISSP certification -- Certified Information Systems Security Professional. This is not a technical certification, although many seem to think so. I have seen ads for much lower-level and even technical positions requiring a CISSP.

While preparing for and then taking the lengthy CISSP test back in 2009, I realized how CISSPs have to think. Every answer for most questions in the practice exams and the actual test was correct. Our coach warned us there was a 70% failure rate because most people who come from a very technical role tend to choose the best technical answer. Instead, the test assessed the subjective skill of selecting the optimal answer -- the one that required a leadership framework of thinking and the answer that was most circumspect. Business skills such as risk mitigation, gathering more information, assessing choices against the mission, communicating with people, and governance skills had a major role in helping us choose the best response.

Finding the best cyber security executive is far more important than choosing someone who has spent a lot of time in the industry. In the healthcare sector, I have observed many hospitals that rely heavily on vendors and contract workers and do not even have internal IT talent, much less IT executives such as a CIO or CISO. In these organizations even existing CIOs are much more into budgets and financial management than technology or cyber security strategy. 

The only way to address this is to seek out true IT executives who are interested and excited about the organization's mission, someone who can be a key member of the team and a true partner for the CEO. Every industry has some industry-specific laws, rules, and regulations. Most often there are people within the organization who can help a cyber security executive transition by explaining the business and providing the industry-specific knowledge required to succeed. If an organization hires a business executive, since it has no executive cyber security talent to begin with, who is going to help the CSO transition into a cyber security professional? The experiment is doomed to fail from the start, and it could be a really expensive and embarrassing failure.

Cyber criminals wielding APTs have plenty of innovative techniques to evade network and endpoint defenses. It's scary stuff, and ignorance is definitely not bliss. How to fight back? Think security that's distributed, stratified, and adaptive. Get the Advanced Attacks Demand New Defenses report today. (Free registration required.)

Dr. Mansur Hasib is the only cybersecurity professional in the world with 12 years' experience as CIO; a Doctor of Science (DSc) in Cybersecurity; CISSP (cybersecurity); PMP (project management), and CPHIMS (healthcare) certifications, who has written two books on the ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Author
8/11/2014 | 12:15:02 PM
Security First
We all have to learn an industry some time, whether we've been involved in on sector for decades or it's our first job. We're a pretty good species, in terms of adaptation, and can pick up the lingo fairly fast. A CISO who understands security, risk management, and how to work across multiple departments adds more value than someone who's a whiz at healthcare but a novice or less experienced at security.
Top 10 Data and Analytics Trends for 2021
Jessica Davis, Senior Editor, Enterprise Apps,  11/13/2020
Where Cloud Spending Might Grow in 2021 and Post-Pandemic
Joao-Pierre S. Ruth, Senior Writer,  11/19/2020
The Ever-Expanding List of C-Level Technology Positions
Cynthia Harvey, Freelance Journalist, InformationWeek,  11/10/2020
White Papers
Register for InformationWeek Newsletters
Current Issue
Why Chatbots Are So Popular Right Now
In this IT Trend Report, you will learn more about why chatbots are gaining traction within businesses, particularly while a pandemic is impacting the world.
Flash Poll