BOSTON -- A successful cybersecurity strategy requires more than a solid security team; it also needs clear communication and the right governance processes.
Board and executive buy-in, a security budget and a solid security team are critically important success factors for building a strong cybersecurity strategy within an organization, but they are not enough for long-term success, said Bruce Forman, CISO at UMass Health Care, a three-hospital health system based in Worcester, Mass.
Cybersecurity strategies aren't static. And to drive changes to the strategy home, Forman recommended that healthcare CIOs and CISOs integrate four additional features into their strategies: governance, prioritization, communication and socialization. These four tools will help healthcare organizations better adapt to changes in a cybersecurity strategy, while limiting risk within an organization, he said during his talk at SecureWorld.
The criticality of governance and good communication
About a year and a half ago, Forman injected governance into UMass 's cybersecurity strategy by establishing a cybersecurity advisory council, a committee unique to cybersecurity for Forman. The 20-member council is run by two co-chairs: the health system's vice president of finance and a clinician.
Forman reports security suggestions and status updates to the council. The council then makes decisions based on those suggestions and updates and supports the adoption of approved security measures across the healthcare organization.
Gathering consensus from across the healthcare organization ensures organizational decisions are not made in a vacuum, according to Forman. The cybersecurity advisory council is responsible for making security decisions for the entire organization, a key characteristic in ensuring the governance process is effective, he said.
Once the governance process is established, IT leaders must prioritize their security initiatives and present the top initiatives in a way that quickly and efficiently shows why they're important changes for the healthcare organization to make, Forman said. And that's where communication comes in.
Bruce FormanCISO, UMass Health Care
Forman said it's important to communicate security initiatives in a manner that's going to draw the attention and support of the governance body. He said communication needs to be concise and ideally kept to a one-page report, free of confusing technical lingo.
"If you're presenting to the board or to an executive, if you can't get your thoughts together on one page, you're not going to get any attention," he said.
After a decision is made to roll out a cybersecurity change, such as requiring hospital staff to create a 15-character password instead of an eight-character password, Forman advised that organizations apply the change to small groups of early adopters within different areas of the organization as a test run.
"If we experience problems as we do that, we're going to address them quickly," he said.
Finally, Forman said socialization, or creating a shared vision on where an organization needs to be with its cybersecurity strategy and how everyone in the organization plays a role, is an integral part of driving change.
"Create a vision, tell the story [and] let the organization know what's coming," he said.
Communication key takeaway for HealthTrust security manager
Sergei Fischev, security manager for HealthTrust Inc. in Concord, N.H., said improved communication and reducing technical lingo could benefit his organization.
Fischev, a session attendee, took to heart Forman's suggestion to present a one-page report and communicate clearly to the governance body within his organization as a way to enact change.
"I think the one-pager was a good suggestion, because we always try to be a little bit too technical," he said. "Getting it in layman's terms is a good idea."