Creating Effective Security Change in Your Organization
By Devin Shirley, CISSP, C|CISO, CRISC, Arkansas Blue Cross Blue Shield
Information security is something I’ve been involved within various environments – working in the Army, technology manufacturing, hospital, telecommunications, and now at a health payer. I’ve seen security capabilities evolve as the security concerns and threats changed from simple hacking to more destructive attacks where the repercussions can significantly disrupt or close a business. So, it is no surprise that cybersecurity has seen a shift from previous times when security is something discussed as a technical concern in IT circles compared to today, where it is presented as a major business concern in boardrooms.
In the health industry, cybersecurity has an impact not only on the organization’s company data but can also result in significant regulatory fines. And, it affects more than just the organization, impacting the individuals whose information was leaked. As an industry that focuses its entire operations on improving the lives of those it services, healthcare breaches can be devastating. They can include anything from financial information to medical history.
With increased vigilance for securing member and patient data, healthcare organizations have had to drastically improve their security posture and change the culture of how employees view security and how they operate to ensure the protection of customer data.
Simultaneously changing legacy systems and processes while trying to change the culture can be a daunting task for any security executive and their security team. It requires more than just that of one team or individual. Instead, there has to be a focus from the top-down, starting with the board of directors and the C-suite. These key leaders effectively determine how their organization builds the security program to protect against and respond to threats and discover how the organization views security, making it an integral part of the company business model.
As leaders, we know our focus, our priorities, and our values flow down to the teams, departments, and companies we lead. The culture we build is based on those elements and sets the tone for how everyone accomplishes their jobs. So, one of the first steps in changing your culture is to develop a sense of urgency and understand the need for security at the top levels of the organization, from senior leadership to the board.
But, it’s not enough for top leaders to understand the need for a change in the approach to cybersecurity. They have to communicate it and successfully establish the culture across their organization, in every job, from the most tenured to the newest of employees. Admittedly, changing the culture is not an easy task and will take time, but it has to start somewhere. This leads to the next component of creating that security mindset – organizational structure and processes.
By ensuring proper alignment of business and security policies and processes, organizations can leverage security objectives to attain business goals.
It’s not enough to simply state intention. To be successful, you need to take action to turn intentions into results. You can have the best plans in place, have the buy-in of everyone in your charge, and possess all the advantages to enable success, but if you do nothing to implement the plan, you will not achieve your objectives. This is especially true when it comes to changing the security environment of your organization. Once the leadership is on board, it is imperative to deliver on the intent and the plans. This is accomplished by creating an organizational structure that will support and drive the vision of a more secure organization. One crucial way to start is to appoint a team with a senior leader to lead the charge for creating and driving the security strategy and also work to enhance and achieve business goals. Now, it is important to note that while this security team is accountable to lead and drive security initiatives in support of the security strategy, it is crucial for other areas in the organization to understand their role in the execution of the strategy and how they fit into the overall picture. One way to illustrate this concept is to use a specific function within the organization: the finance team. The finance team is accountable for conducting and leading in financial aspects of the business such as accounting, budgeting, etc. However, it is in every department to ensure fiscal responsibility in managing their budgets, controlling expenses, and improving sales – everyone working toward the goal of ensuring the financial stability of the company. Similarly, the security team is accountable for establishing and sustaining appropriate security principles that are applied and complied with, to implement capabilities for monitoring and building good security, and to respond to all security threats. However, it is up to everyone to practice proper security by doing their part to ensure the company stays safe, i.e., not sharing passwords, not opening links or attachments in phishing emails, etc.
Creating an organizational structure includes implementation and refinement of processes to align more appropriately with the security focus of the organization. To create a change in culture that effectively supports the security strategy and aligns it with business strategy, processes and policies must be in place to enable both strategic plans to work harmoniously. Processes are the roadway that takes us to the destination of achieving our tactical and strategic objectives while policies are the guardrails that keep us on the road. By ensuring proper alignment of business and security policies and processes, organizations can leverage security objectives to attain business goals. Changing our perspective to view security as a business enabler and integrating this into the culture and daily practices across multiple levels of a business assure security practices are implemented to help the business maintain and improve performance.
Once the strategy has been set and processes are in place with the resources to support them, you can focus on the technical capabilities and services required to implement and complete the security program and strategy. The controls, monitoring, and response capabilities put in place through various processes and technologies further reinforce the security mindset leadership wants to create in its organization. When the company leverages these elements to achieve security goals, it validates the organizational structure and demonstrates a culture that reflects the focus and emphasis placed on security.
To successfully bring about positive change in security, to effectively protect the organization against cyber-attacks, it starts with senior leadership. The culture, habits, mindset, and technology all need to evolve to create an ecosystem that fosters and encourages security as a vital part of the business model of the organization. By bringing about this needed shift in protecting critical data, and, in the case of healthcare, it’s patients, leaders can ensure they are better prepared for the next attack and establish effective response plans.