Why You Need A Chief Information Security Officer

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-management.com/news/why-you-need-a-chief-information-security-officer-10025593-1.html

Consider: Threats to the security and privacy of patient data in the U.S.
healthcare system are increasing, healthcare organizations continue to
struggle with the increasingly complex federal and state privacy and
security regulations, and many, if not most, providers have experienced a
data breach.

Those are among the findings of the Fourth Annual Benchmark Study on
Patient Privacy & Data Security, which was conducted by Ponemon Institute
and published in March 2014.

Here’s a quick summary of some of the study’s other takeaways:

- Fifty-one percent of healthcare organization respondents are compliant
with the post-incident risk assessment requirement in the HIPAA Omnibus
Rule while 49 percent report they are not compliant or are only partially
compliant.
- Thirty-nine percent say their incident assessment process is not
effective and cite a lack of consistency and inability to scale their
process as the primary reasons.
- The process most often used to conduct and document post incident risk
assessments is a manual process that was developed internally (34 percent)
followed by an ad-hoc process (23 percent). Only 15 percent use an
automated tool or process developed internally or one that was developed by
a third party (20 percent).
- Forty-six percent of organizations have personnel who are knowledgeable
about HITECH and states’ data breach notification laws.

Why do healthcare organizations still struggle with the fundamentals of
information security?

The success of an information security program has as much to do with
people and process as it does with technology. Establishing a dedicated
staff that is responsible for the management and oversight of information
security is crucial.

And hiring a strong chief information security Officer (CISO) is one of the
most important tasks in an overall strategy to effectively protect the
confidentiality, integrity and availability of information.

CISO’s retain accountability and responsibility for the success of their
information security program and provide the focus and strategic presence
necessary for the program to achieve its objectives. By coordinating all
information security activities under the guidance and leadership of a
CISO, healthcare organizations can significantly improve their security
posture while reducing the risk of issues not being effectively addressed.

The role of the CISO is strategic and tactical while acting as a conduit
between the clinical, business and IT operations.  Accomplishing the
mission of an information security program requires a CISO with strong
leadership skills, executive presence, security knowledge and effective
placement within the organization.

Let’s break down these attributes in further detail:

- Leadership - The CISO should provide executive leadership in developing,
planning, coordinating, administering, managing, staffing and supervising
all information security-related operations.  The CISO should provide
overall leadership to the information security program and its coordination
with complimentary programs including privacy, compliance, physical
security, risk management, purchasing, human resources, internal audit and
legal counsel as well as integrate closely with clinical and business
executives.
- Executive Presence - The CISO serves as a spokesperson for the
Information Security Program including presentations to the board of
directors and addressing concerns expressed by auditors, vendors and
patients.  The CISO should have the executive presence to effectively
represent the organization’s position regarding information security
matters and the ability to influence other executives in the achievement of
their clinical and business goals in a manner consistent with the security
program objectives. Simultaneously, the CISO should possess effective
communication skills and an ability to interact with personnel at all
levels in the organization.
-  Knowledge - The CISO should decide or recommend the organization’s
stance on numerous information security issues and, as such, should have a
solid basis of security knowledge upon which to draw. The CISO should
possess strong analytical and diagnostic abilities to understand and apply
theoretical concepts to practical problems. The CISO should have strong
information security skills derived from having at least 10 years’
experience in information technology and five to seven years of direct
experience managing a program.  The CISO should be a Certified Information
Systems Security Professional (CISSP) or Certified Information Security
Manager (CISM).
- Organizational Placement - Organizational placement of the Information
Security team varies by organization. However, the information security
program should be treated as an enterprise-wide responsibility accountable
for addressing security-related people, process and technology issues. It’s
important to consider the placement of the CISO such that he or she has
senior executive sponsorship and support to ensure the success of the
information security program.

> From the CISO’s first day on the job, he or she needs to meet with people
in many different functions and layers within the organization. The role
includes a lot of listening, data gathering and synthesizing of
information. The role also includes explaining, training and persuading
people at all levels of the organization so that they understand what
information security is and how information risks affect their areas of
responsibility. The CISO should have excellent people skills and be a good
manager because this role cannot be accomplished alone. The CISO should get
accustomed to hearing the word “no” on a regular basis when they first get
started.

An effective information security program can only be achieved when a
holistic approach is adopted.  This approach should take into consideration
the people, process and technology dimensions of information security while
adopting a risk-balanced, business-based approach. Information Security is
a journey, not a destination and there are always new challenges to meet.
HIPAA security compliance can be one of those challenges because it is not
achievable through a single solution and does takes time to address.
However, the Fourth Annual Benchmark Study clearly illustrates that a large
number of healthcare organizations still need to step up their security
game and hire an effective CISO since it’s been nine years after the HIPAA
security compliance deadline of April 2005.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!