Great Article by Bill Siwicki
Running security and IT under a CFO or chief administrative officer is bound to be problematic because they typically lack a technology background. One expert’s alternative: Empower CIOs and all employees to innovate a culture of security.
There’s a big problem thwarting cybersecurity today and it has to do with people – those at the top specifically, according to Mansur Hasib, a cybersecurity professor at the University System of Maryland.
“Many executives have taken the view that cybersecurity is control of people, limiting people’s use, essentially telling people they are dumb, that they cannot use technology, that their ability to load software on their computers will be disabled,” said Hasib, who wrote the books “Cybersecurity Leadership” and “The Impact of Security Culture on Security Compliance,” and earned a doctorate in cybersecurity from Capital Technology University in Laurel, Md. “Most companies run IT and cybersecurity where IT professionals live in these hallowed halls and they do not share knowledge.”
As part of his doctoral dissertation on cybersecurity in 2013, in fact, Hasib conducted a national study across a wide swath of organizations in the U.S. and found that half of healthcare entities operate IT and cybersecurity efforts through non-IT officers such as the CFO or the chief administrative officer.
Further, one-third of healthcare organizations have no CISO and one-fifth have no plan to hire a CISO anytime soon. He said this is an enormous problem for healthcare cybersecurity today.
Hasib will speak at The HIMSS and Healthcare IT News Privacy & Security Forum, May 11-12, 2016, in Los Angeles, California.
“Anthem, which had the biggest security breach in healthcare, runs IT through its chief administrative officer,” Hasib said. “These executives, with their MBA backgrounds, have no clue about IT and security, so why is this person in charge of it? Yes, they have a CIO, but no real CIO should work for a CFO or CAO. If I am a CIO and I am not reporting directly to the CEO, then I am not a CIO.”
That problem starts in graduate schools, Hasib said, where the lack of focus on IT or cybersecurity is partially responsible for what London Business School researcher and professor Gary Hamel determined, which is that innovation and productivity in the U.S. are half of what they were in 1972.
Individuals and employees, on the other hand, are armed with greater access to technology than they have ever had. Today’s mobile phones and tablets, for instance, effectively democratize IT by putting it in just about everyone’s hands. As a result, the concept of technology run by a privileged few no longer works.
“That’s why there is a massive failure – the trust divide between executives and the common people,” Hasib explained. “Employees realize they do not have access or a role. But the reality is everyone handles data and technology, therefore the ultimate cybersecurity posture of any organization depends on people. Behavior of people determines ultimate success.”
Hasib learned about that massive failure when Anthem breached his own health data. And because of Anthem’s reporting structure, Hasib has a cure to the company’s cybersecurity woes that is blunt. “In order to improve cybersecurity, fire some CEOs,” he said. “If any CEO thinks their CFO can run their IT and cybersecurity, then that CEO does not belong in the CEO role.”
Hasib went on to say that the reason there has been such a decline in innovation in America – innovation by employees that is needed to bolster cybersecurity – is because Corporate America has put leaders on an anointed pedestal.
“We think authority is leadership, but it is not – knowledge is leadership,” he said. “Every one of us has some knowledge we can use to guide others in whatever it is we know. Leadership is guiding someone to a purpose, usually where that person wants to go. Management is forcing someone to go where you want that person to go. It is much better to inspire people and lead them to where they want to go.”
As such, any C-suite officer can inspire values in employees throughout an organization, values that in the case of cybersecurity can include, for example, loyalty, trust and innovation.
“A company that does not have the loyalty of the people in its organization will never have cybersecurity,” Hasib said. “Great companies have a culture where they allow people to take risks – and understand innovation by itself has risk.”
Hasib cited as an example a nuclear power plant he studied. Needless to say, safety was a value its leaders promulgated throughout the organization.
“There, safety is the culture,” he explained. “Every employee is incentivized. Their business is based on how many hours they can go without a safety incident. In healthcare, does any organization give incentives for how many days without data loss? You can certainly have a goal of zero data loss, that is easy enough. What if you rewarded people for that? Everything is negative today, and people are not excited about negative stimulus. Leaders should give people incentives and reward innovation.”
Cybersecurity must indeed be about continuous innovation, Hasib added. Without innovation, an organization will never have cybersecurity, and it’s people who create a culture of innovation.
Hasib will speak at The HIMSS and Healthcare IT News Privacy and Security Forum, May 11-12, 2016, in Los Angeles, in a session titled “Healthcare USA: How to Create a Human Firewall,” May 11 from 1:45-2:30 p.m. Register here.