This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

 Hey everyone. I'm Drex, and this is the two minute drill where I cover some of the hottest security stories in healthcare, all part of the 2 29 project, cyber and risk community here at this week. Health, it's great to see you today. Here's some stuff you might wanna know about. ISC two, the International Information System Security Certification Consortium.

So organizations are not gonna magically hire their way outta this problem. And it's not just a headcount problem, it's a capability and sustainability and burnout problem according to the report. And a lot of folks that I talk to in the field teams are being asked to do more with less. Or more with the same or fewer people.

Security staffs are increasingly stretched across compliance and risk, and incident response and vendor management and cloud and identity and ai, and now have a big focus on operational resilience. All of that drives burnout, especially among mid-career practitioners. Who are the folks that you really can't afford to lose?

We feel these challenges in healthcare more than other industries because hospitals. Don't get to pause operations when staffing is thin or patients don't slow down just because your sock is understaffed, so the staffing problem isn't going to be fixed in what we would consider a normal way. That problem is becoming structural.

One of the most important takeaways of the ISC two report isn't about how many people we're missing, it's about the skills that we're missing. Organizations say they need people who can translate cyber risk into business risk and understand cloud and identity and third party exposure, especially in healthcare.

Third party risk. That means a lot more than it ever did before. It's not just making sure partners are secure, but it's about making sure we understand which third party partners in the supply chain can wreck care delivery when they go offline. Organizations are also saying they need people who can communicate clearly with executives and boards and people who can design resilience, not just prevention.

But many healthcare organizations still high, still are hiring for narrow technical roles, and they are buying more tools, hoping that all of that adds up to a good strategy. I don't think we need more tools. Uh, let me rephrase that. I think some of you need more and better tools, but I think what we all need is a better plan.

A moment to take a second step back, take a breath, really think through an overarching resilience strategy, and that includes all the tactics that are probably shifting as fast as the healthcare business is shifting. That means we really need people who can connect dots and prioritize risk, and explain trade-offs in plain English.

Here's the part that's kind of buried in the report, but it's one of the things I hear again and again and again from some of the top healthcare cybersecurity leaders. The best people that we have are leaving because they're exhausted and because. They're doing checkbox compliance work instead of what they feel is really meaningful cybersecurity work.

They're treated like blockers instead of partners by other folks in the organization, and they don't see a path to career growth, and they're not getting access to professional development training. So if your cybersecurity team is constantly in reactive mode. If your best people can't take vacations, if every incident turns into a blame game, instead of an opportunity to learn and improve.

I don't think we have a people problem. I think we have a system problem, and there is a way out of this. A lot of CSOs that I talked to are leaning hard on these ideas. While this first one takes a little time, I've seen some really great success stories tied to hiring internally to grow the security team.

A lot of folks who work in healthcare. Really love the mission. They have their own stories about healthcare issues for themselves or for family members. And so giving those who start their career outside of security and opportunity to grow their careers and their experience as part of the security team can be at least part of the solve for this staffing puzzle.

When you do this, you can hire for those other skills, people who understand workflow and are great problem solvers and really good collaborators, and they can connect the dots and understand risk and have the skills to talk about security challenges in mostly non-technical, mostly plain English language and in the language of business or clinical or research because that's where they came from in the organization and that's all really invaluable.

And the other way CISOs are working to solve this puzzle is by leaning into their partners. There are just some things that are easier to buy as a service utility versus building and running them on your own. Um, be agile here because partner capabilities are growing and changing constantly, and you should always be looking to take advantage where you can't.

I think the punchline is this, the cybersecurity workforce problem. Isn't about a shortage of humans and that's how it sort of reveals itself. But I'm not sure that's the problem. At its core, it's about unrealistic expectations for those humans. It's about broken operating models and organizations that still think resilience can be bought instead of built healthcare, won't be able to staff its way out of this security people problem.

We'll design our way out. Or we won't. You can read a lot more on that story. All these stories and a lot of other tech and digital innovation and security news at this week, health.com/news. That's it for today's two minute drill. Thanks for being here. Stay a little paranoid. I'll see you around campus.