1

Top Traits of Effective Healthcare CISOsChief Information Security Officers

and Their Staff

Session 153, February 22, 2017

Stephen Cobb, CISSP, MSc. – Senior Security Researcher, ESET

2

Speaker Introduction

Stephen Cobb, CISSP, MSc.

Senior Security Researcher

ESET North America

3

Conflict of Interest

Stephen Cobb, CISSP, MSc.

Has no real or apparent conflicts of interest to report.

4

Agenda

• The challenge: staffing for cybersecurity in healthcare

• Navigating the cybersecurity skills gap and efforts to close it

• Cybersecurity work and the CISO role: assumptions, and realities

• CISOs in healthcare: good news and not so good

• Recruitment and retention: what we are learning

• Helping Human Resources help you

• External resources you might find helpful

• Top trait takeaways

5

Learning Objectives

• Develop a deeper understanding of what it takes to successfully staff the

roles and responsibilities involved in defending healthcare information systems

• Navigate the current research into effective cybersecurity staffing

• Analyze public and private initiatives that are working to close the

cybersecurity skills gap

• Improve recruitment and retention efforts by applying from research into

cybersecurity roles

• Learn how to advise Human Resources on cost-effective security

recruitment strategies

6

Benefits Realized for the Value of Health IT• Unbudgeted costs can be avoided by better

security breach prevention and response through better cybersecurity staffing

• Efficient and effective cybersecurity staffing decisions reduce HR costs and improve ROI on human capital

• IT initiatives in patient engagement and population management can proceed more confidently when cybersecurity implications are addressed by effective healthcare CISOs

7

A quick word about sources

• The (ISC)2 Global Information Security Workforce Survey = GISWS

• The CISO Survey – Cobb, S.

• Getting to know CISOs: Challenging assumptions about closing the cybersecurity skills gap – Cobb, S.

• Examination of personality characteristics among cybersecurity and information technology professionals – Freed, S.

• Healthcare CISO Project - Ongoing

8

The challenge: staffing for cybersecurity in healthcare

The security aspect of

cyber is very, very tough,

and maybe, it’s hardly doable. US Presidential Candidate

Donald Trump - 9/26/16

• Cybersecurity is hard, and getting harder

• The supply of skilled cybersecurity

professionals has not kept pace

• Cybersecurity in healthcare is even harder

• Staffing for cybersecurity in healthcare is a

serious challenge, but there are some

strategies that can help

9

Q1. Filling cybersecurity roles in my organization is:

1. Very difficult

2. Moderately difficult

3. Moderately easy

4. Very easy

10

11

Why is cybersecurity in healthcare so hard?

• Cybersecurity means sharing some data with some people but not others

• Healthcare requires a lot of data sharing with a lot of different people

• Healthcare data has a high market value to “others”

• It exists on, and flows between, more different devices, located in more

dispersed settings, for more diverse needs, than any other sector

• Meaning more attack vectors, from more threat actors

“There’s a very different risk calculus in healthcare.”

– CISO who came to healthcare from defense

#1 trait

Broad understanding of the security field

12

Healthcare CISOs may need more of everything

12 factors for success

as an information

security professional

rated and ranked:

the healthcare sector

versus all sectors

Source: Secondary analysis

of (ISC)2 Global Information

Security Workforce Survey

data tables by the author

13

The cybersecurity skills gap and efforts to close it

• Globally: 1 million more people with cybersecurity skills are needed (F&S)

• US: >200,000 open jobs (Cobb)

• President’s Commission on Enhancing National Cybersecurity: need to train 100,000 as a matter of urgency

• 82% of organizations say there’s a

serious shortage of cybersecurity skills

• 71% cite shortage as responsible for

direct and measurable damage to their

organization “including the loss of

proprietary data and IP” (Intel/CSIS)

14

15

The skills gap will hurt healthcare

• Assume that 4 out 5 of organizations

are finding it hard to hire

• And the demands of the job in

healthcare are above average

• And some healthcare job locations

are not universally appealing

• The experience of “direct and

measurable damage” due to

cybersecurity under-hiring in

healthcare could exceed 71%

We find hiring for

cybersecurity

positions to be:

Cobb, S. (2016) “Getting to know CISOs: Challenging

assumptions about closing the cybersecurity skills gap”

University of Leicester MSC dissertation

16

The cybersecurity skills gap and efforts to close it

• NICE: National Initiative on Cybersecurity Education

– Cybersecurity Workforce Framework

– NIST SP: 800-181

– Applicable across sectors

– CyberSeek.org

• Sector specific:

– Smart Grid Cybersecurity:

Job Performance Model Report

– PNNL 21639

• Inspire students and job seekers to pursue cybersecurity as a career

• Tap minorities, veterans, diversity

• Multiple organizations involved: (ISC)2

CompTIA, Life Journey, Cyber Centers of Excellence, Cyber Patriot, Cyber Cup, Cyber Maryland, Cyber California

#2 trait

An open mind

17

18

• CyberSeek.org

• Uses standardized

taxonomy of KSAs

• Career pathway

• Interactive map

19

CISOs in general: assumptions*

• Cyber security requires:

– At least a computer science degree

– Preferably an information security degree

– Technical skills

• CISOs are the upper end of the cybersecurity profession, so they

must need all of those plus management skills

*Literature review, Cobb

20

CISOs in general: realities• To achieve success CISOs say they need soft skills – like communication

and a broad understanding of security and business (GISWS and Cobb)

• CISOs rank these higher as success factors than technical skills or domain-specific security knowledge (GISWS and Cobb)

• The value placed on soft skills increases as time in the profession and/or responsibility for cybersecurity increases (GISWS and Cobb)

• For CISOs, having a degree (of any kind) is valued lower than attributes such as analytical thinking, communication, broad understanding of threats, technical knowledge, professional certification (Cobb)

21

CISOs in healthcare: the not so good news

• Less likely to have information security certifications

• Less likely to say they have enough staff

• Less likely to think their employer’s cybersecurity training and

professional development is adequate

• More likely to have to pay for training themselves

Significant sector specific concerns:

Higher than average focus on compliance,

knowledge of regulatory policies, and BYOD

#3 trait

Conscientious

22

Q2. Does your healthcare organization have enough cybersecurity staff?

1. Yes

2. No

3. It’s hard to say

4. I don’t work for a healthcare organization

23

24

CISOs in healthcare: some good news

• More likely to report to C-suite

• More of their employees likely to be satisfied with their job

• More of their employees open to pursuing cybersecurity certification

Sector specific potential:

High levels of job satisfaction, willingness to

learn, and management support are all helpful

in attracting cybersecurity candidates

25

Healthcare CISO insights

Typically, IT security is the same from one

industry to another, but that’s not true for

healthcare. Takes time to get up to speed.

Healthcare security tends

to be behind the curve, a

hard shell but soft center.

Too many big, flat open

networks. And I still hear:

“why would anyone want

to attack us?”

Too many layers

of bureaucracy.

26

Healthcare CISO insights

To do cybersecurity in healthcare

you need a thorough understanding

of the rules and regulations, and

there are a lot of them. I’d say it’s

definitely more complex than

Sarbanes–Oxley and PCI DSS.

In healthcare there’s a lot of legacy

equipment, so you need a basic

understanding of everything IT,

which takes years to accumulate.

There’s a very

different risk

calculus.

27

Healthcare cybersecurity recruitment and retention:

• Attracting new talent

– Show commitment to security

– Show commitment to ongoing

education, both hard and soft skills

– Use standard terms for KSAs

– Avoid laundry list job descriptions

– Craft “requirements” with care

– Help HR to help you

• Working with internal talent

– Identify the talent, those with

cybersecurity aptitude and interest

– Nurture with mentoring, training,

conferences, recognition

• If your location lacks cyber-appeal then

“growing your own” may be your best

strategy and most cost effective

#4 trait

Imagination

28

Healthcare IT security recruiting:Personality and potential

• When healthcare CISOs look to close the skills gap by

fostering internal talent, it helps to look at personality

• Industrial psychology and personality psychology have been

applied in many different industries to better understand who

is a “good fit” for particular workplace roles

• Healthcare IT security has so far escaped serious scrutiny

but there are some indicators of promising personality traits

29

CISO personality insights

Testing with IPIP NEO, Freed found that IT cybersecurity workers scored higher

on Openness and Conscientiousness, lower on Neuroticism, than regular IT

folks. Cobb found this difference was even greater in CISOs. (Sector-specific

studies have not yet reached statistical significance.)

#5 trait

Strong nerves

30

Helping Human Resources to help you

Attributes Mean Rank

Communication skills 4.43 1

Broad understanding of the security field 4.42 2

Awareness and understanding of the latest security threats 4.38 3

Technical knowledge 4.32 4

Knowledge of relevant regulatory policy 3.93 5

Security policy formulation and application 3.91 6

Leadership skills 3.89 7

Possession of an information security certification 3.76 8

Project management skills 3.65 9

Business management skills 3.54 10

Legal knowledge 3.29 11

Possession of an information security degree 3.09 12

• Take time to explain the nature of

cybersecurity work

• Have input on job listings, push for

broader parameters if appropriate

• Offer to help with resumé screening

and initial candidate evaluation

• Be clear what you are looking forward

and how to recognize it

#6 trait

Communication skills

31

Helpful resources

• Network nationally and locally

– HIMSS, AEHIS.org

– NH-ISAC, Infragard

– ISSA and certification orgs

– Local CISO roundtables

• Do CISOs in healthcare network and share

less than those in other sectors?

• This may be understandable, but it is

probably not healthy

#7 trait

Humility

Effective CISO Survey:

The vital ingredient of effective

CISOs most frequently cited

when people offered “other”

qualities besides those listed in

the survey instrument: humility.

32

Top traits and further research

1. Broad in understanding

2. With an open mind

3. Conscientious

4. Strong nerves

5. Strong imagination and

6. Good communication skills

7. Plus humility

In terms of personality psychology:

• Cybersecurity folks are measurably

different from other IT workers

• CISOs are more different

• These differences warrant further

research by sector, because healthcare

CISOs might be even more different

• If they are different, it would be really

helpful to know that, and in what ways

33

Q3. Is America is currently experiencing a cyber crime wave?

1. No

2. Yes

34

35

Benefits Realized for the Value of Health IT• Unbudgeted costs can be avoided by better

security breach prevention and response through better cybersecurity staffing

• Efficient and effective cybersecurity staffing decisions reduce HR costs and improve ROI on human capital

• IT initiatives in patient engagement and population management can proceed more confidently when cybersecurity implications are addressed by effective healthcare CISOs

36

Questions

• Stephen.Cobb@ESET.com

• www.ESET.com

• www.WeLiveSecurity.com

• www.zcobb.com

• Twitter: @zcobb

• Please complete the online

session evaluation