I was fortunate to moderate a panel at the 6th Annual Privacy and Security Forum hosted by the Southern California Chapter of HIMSS. The panel included the following IT security experts:
- Bryan Kissinger – VP, Information Technology Risk Management and Chief Information Security Officer, Sharp HealthCare
- Tamer Azmyâ – Cyber Security Operations Manager, Cedars-Sinai Medical Center
- Gary Gooden – Chief Information Security Officer, Children’s Hospital Los Angeles
- Nolan Garrett – Chief Information Security Officer, Verity Health System
As moderator of the event, I got the chance to reflect on the viewpoints of my peers. Here are some takeaways I walked away with.
Gary Gooden on end-user involvement
When asked about securing a ROI from end-user security education, Gary made some excellent points. Among them, Gary stated, “You want to make end-users aware because they are a part of your security toolset, whether they know it or not… If you invest the right amount of time, even if you get a 1 or 2 percent return, it’s better than a 0 percent return.”
In an environment where social engineering techniques, such as phishing, create some of the most common and damaging security breaches, end-user education can help prevent unnecessary breaches.
Tamer Azmy on communicating with executives
When I asked the panelists how they communicate with executive leaders, Tamer kicked off the discussion by stating, “You should use absolute honesty when going to the board. If you go in and say everything is okay, you may lose your job… Funding is also a huge consideration. They have to want to give you money.”
Transparency is essential when communicating with the board. As other panelists commented, security experts translate technical information, develop a roadmap, present all alternatives and provide recommendations. If they can do all of those things and communicate honestly, they generate goodwill and give board members confidence when allocating funding.
Nolan Garrett on using a cybersecurity framework
I asked the panelists, “do you use a framework to manage the effectiveness of your security program for strategic planning purposes?” Nolan began our discussion on this topic by stating, “We selected NIST CSF because we felt that it was easy to rapidly implement… You can break it down into five functions that make sense when you say the words.”
As Nolan suggested, NIST CSF provides a common cybersecurity language with five core functions: identify, protect, detect, respond and recover. These functions provide an easy method to organize information, enable quicker risk management decisions and help show the impact of cybersecurity investments.
The tools provided by NIST CSF can be invaluable when translating technical information into practical solutions. Though NIST is a non-regulatory agency, it was encouraging to see that the other panelists had also adopted this common language.
Bryan Kissinger on metrics
The metrics used to measure IT security can make or break executive decisions. When asked about his favorite dashboard metrics, Bryan replied, “A metric is only as good as how it can measure what has changed over time. A lot of these static number metrics I don’t find useful. Like the number of patches we’ve done last month – Who cares? If someone can say who cares, it’s not a good metric. I try to talk about the rate of infections, cleaning, blockages, and are we seeing trending information up or down.”
IT security experts want to see the organizations they work with thrive. When presenting metrics to the board, they need to make sure they’re presenting valuable information that’s easily digestible. By presenting trends as Bryan suggested, leaders can better understand how their environment is functioning and where it’s heading.
Expressing my gratitude
I would like to thank the panelists for sharing their experiences and providing their insights. It was a pleasure to be surrounded by experts in the industry with decades of combined experience; what a dynamic discussion. I look forward to more healthcare IT collaboration at future HIMSS events.
Watch the full panel discusison on the SoCal HIMSS YouTube channel.