Healthcare CISOs talked about the biggest obstacles to success in the position during a panel discussion at the HIMSS Healthcare Cybersecurity Forum.
Washington, D.C. A number of healthcare CISOs from companies all around the nation spoke on a panel at the HIMSS Healthcare Cybersecurity Forum on October 31, 2024, about the particular difficulties that come with being the chief information security officer in the healthcare industry.
Moderator Erik Decker, vice president, and CISO at Intermountain Health, opened the panel discussion by asking if the lack of cybersecurity professionals is truly having as large of an impact on healthcare as worldwide data would indicate.
For instance, according to a 2024 ISC2 report, in order to close the present labor deficit, the global cybersecurity workforce must grow by 87%. According to CyberSeek statistics, there are over 500,000 open cybersecurity jobs in the United States.
“I think it’s real, I just think we feel it at different levels,” Kate Pierce, executive director of government affairs and virtual CISO at Fortified Health Security, stated during the event.
The personnel difficulties faced by rural and critical access hospitals differ from those faced by bigger organizations, according to Pierce, a former longtime CISO at a small hospital in Vermont.
“Being a tiny critical access hospital or even simply a one- or two-provider practice differs significantly from being a Johns Hopkins or UNC because you have the same obligations. You just have a small portion of the personnel, but you still need to defend your network and take other necessary steps.”
According to Pierce, a rural hospital may lose half of its workforce if just one cybersecurity specialist leaves.
The CISO at UNC Healthcare, the biggest academic health institution in North Carolina, Dee Young, sees the scarcity of workers in a different light.
Young stated, “Yes, there is a talent shortage -I think it’s more a lack of skills and ability and expertise in healthcare though,” as opposed to a lack of job seekers.
“I put extra effort into retaining my current workforce of experts and ensuring that I don’t have any unfilled positions,” Young added.
Young suggested internships and practicing basic IT skills to give people who want to work in cybersecurity but have no prior IT expertise a taste of what it’s like to work in the sector.
The CISOs discussed the difficult nature of the CISO position in addition to staffing issues.
According to Pierce, “I don’t think the pressure on the CISO is comparable to other things.” “It’s a 24/7 constant pressure to deliver a secure system.”
Former Johns Hopkins CISO Darren Lacey emphasized the need to have a support system of peers and coworkers to turn to when dealing with work-related stress.
As the industry increasingly sees CISOs bearing the brunt of the criticism following cybersecurity events, the panel of CISOs considered the future of the post in addition to the pressures of the job.
For instance, following a significant 2020 hack, the Securities and Exchange Commission (SEC) accused SolarWinds and its CISO of fraud in October 2023. Although the majority of the SEC’s accusations were eventually dropped by a judge, the case still marks a shift in perceptions of the CISO’s function.
The panelists agreed that it is difficult to control the narrative of a CISO’s function. Being seated at the table in a room full of C-suite executives is not enough.
To convince the business that cyber is a priority, you truly need to have a voice in addition to a seat at the table, Pierce stated.
The panelists emphasized the need to maintain effective communication with the C-suite and use their position to advocate for the fundamental principles of cybersecurity.