8 Signs of a strong security culture

Cybersecurity incidents in healthcare are on the rise. Organizations are continuing to strengthen their security programs. canstockphoto45375611 (1) security culture

I am currently working with two clients who are focusing on security. One is a large regional organization that is hiring their first Chief Information Security Officer (CISO). They asked StarBridge Advisors to provide an interim CISO to help build the security program while they recruit. The other is a university health system that is consolidating their security program under the university CISO and hiring an associate CISO to focus on the health system. Both organizations recognize the importance of the CISO role and the need to continually strengthen their security profile.

While it may be surprising to see organizations hiring their first CISO in 2018, what matters is that they recognize the need and are making the investment.

When I served as CIO at Michigan Medicine for the hospitals and health centers, we crossed that bridge in 2015. The IT leader responsible for infrastructure had been responsible for security as well – not uncommon in healthcare organizations. I recognized that the security function needed a dedicated focus, so we hired a full-time CISO.

I engaged a third-party security expert to conduct an assessment using the NIST framework. As a CIO, I learned a great deal through that process. With the help of our consultant, I was able to educate the executive team as well.  One component of the final assessment report was about creating a security culture.

Security cannot just be the job of the CISO. It is everyone’s job. These are the signs that an organization has developed a security culture:

  • Security is discussed at the senior executive level, with critical decisions about organizational security activities made by the CEO and other senior leaders;
  • Senior executives receive regular reports on the security posture of the organization, and incorporate them into overall organizational risk management;
  • The organization has a CISO, positioned to influence organizational activities, and who operates independent of conflicts of interest;
  • Security staffing levels are adequate to address the existing and future security issues;
  • Security is a defined budgetary item, with security spending sufficient to address identified risks;
  • Security is incorporated into overall organizational activities, including system acquisition, and data sharing with business partners;
  • The organization’s research arm views security as critical to research activities, even if the research involves information considered public; and
  • Workforce members are aware of their roles and responsibilities with respect to IT security and are held accountable to meeting them.

Can your organization check off all the boxes on this list? If not, you’ve got work to do.

Related Post:

Everyone Must Participate in Making Healthcare Secure!

 

4 thoughts on “8 Signs of a strong security culture

  1. As you mentioned, one way to know if keeping information secure is high on the list is if security is incorporated into data sharing with business partners. My brother recently decided that he needs to hire a business lawyer for his company, and he wants to make sure that all of his information is secure. I will have to share this information with him, and see if it helps him find the right one for his company.

Leave a Reply

2  +  6  =