“What is acceptable?”
“What does HIPAA require?”
“What are other organizations doing?”
These are just a few of the questions that I answer each week when working with healthcare providers and business associates as their virtual CISO.
Each client has a different challenge, a different story, and a different budget. For example, one of the hospitals we work with is challenged by a lack of formal contingency planning. On the other hand, a business associate we work with is more challenged by not having a designed security manager with a security background on staff and finding qualified security personnel.
Lack of Qualified Cybersecurity Personnel
One common denominator with all of my clients is a shortage of security personnel. This can be attributed to various factors including lack of funding, challenges finding the right person, or the belief that security personnel are not necessary. The cybersecurity field is growing, and with a large number of job openings available, there are not enough qualified personnel to fill them. This may require posting cybersecurity positions sooner, due to the fact that you won’t be able to fill the position quickly enough when you need it to be filled. Funding is difficult to overcome without proper planning and justification so organizations should identify areas where funding may be ineffective and determine if funding can be allocated for a security position.
People are an asset as well as a vulnerability, and when there are not enough people to do the work, the vulnerabilities increase along with the level of risk to the organization. A sound security program requires human intelligence and action to stay on top of cybersecurity threats.
Risks for Organizations with Cybersecurity Personnel Issues
Organizations need to work to overcome their personnel issues through technology and partnerships with third-party contractors if they cannot find the right security personnel. Cyber attacks do not stop when someone quits their job or when there is a shortage of cybersecurity personnel on staff. In fact, if an organization is advertising for one or more open security positions, this could be a sign that there is a shortage of qualified security personnel on staff, signaling to malicious actors that it is time to attack. Like security cameras focused on vulnerable areas within a facility, an intrusion detection system does no good if there is no one watching and ready to take action.
Breaches with more than 10 million identities exposed increased 125% from 2014 to 2015 according to Symantec’s Internet Security Threat Report. Mobile malware variants increased 77% from 2014 to 2015, and there were 54 Zero-day vulnerabilities in 2015, an increase of 125% over 2014. These represent a small number of the challenges hospitals and their business associates are dealing with each day. These challenges cannot be overcome when there is a shortage of security personnel.
A Solution: Virtual CISO Services
One solution to address personnel shortages is with the assistance of a virtual CISO (vCISO) resource. With this service, support and expert resources are provided to help the organization improve their security program without the added expense and administrative overhead it takes to recruit and retain qualified cybersecurity personnel. On top of knowledge, experience, education, and professionalism, having a dedicated vCISO on your team helps you overcome many challenges by giving you a direct line to experts with a wealth of consulting knowledge and decades of combined experience.
Truth be told, a vCISO can only do as much for your program as you allow them. This means dedicating time to your security goals and determining where the virtual CISO resource fits into your organization. This could include chairing a Steering Committee, sifting through various security frameworks to create a comprehensive working policy, critiquing your work, or even acting as your organization’s CISO.
As a vCISO I encounter my own set of challenges. Some clients are ready to rock when the engagement starts, while others have just experienced an incident so we move right into their incident response plans. No matter where you plug your vCISO resource into your network of daily chaos, you can be sure that they will be patched, up-to-date, and ready to guide you toward a stronger security program and compliance. As one of my clients appropriately put it, “It’s the journey to a stronger security program that matters, not just the certification.”
vCISOs are ready to join you on your journey. Consider and find out more about what a virtual CISO can do to help you address your unique security program’s biggest challenges.