Today in Health IT leading the board around cyber risk reporting. My name is Bill Russell. I'm a former CIO for our 16 hospital system and creator of this week Health. A set of channels dedicated to keeping health IT staff current and engaged. We want to thank our show sponsors who are investing in developing the next generation of health.tuations a family can face in:
We have a goal to raise $50,000 from our community. We are already up over 11,000 and we're asking you to join us. There's two ways you could do. One is that you could hit our top banner on our website this week, health.com. Click on the Alex's Lemonade stand. Go ahead and, , give money on the Lemonade Stand site itself.
The second is we have a drive. We've been doing drives every month and for the month of March, this five has to do with five. The Vibe Conference. , my, , producer happens to have a service dog. We're bringing the service dog with us to the. and the service dog's name is Captain.
And if you see us with Captain, get your picture taken with Captain at the Vibe event, go ahead and post it to social media and tag us this week, health in the post itself. And everyone who's in that picture, if it's 10 people, if it's a hundred people, we're gonna give $1 for every person who is in that picture to, , Alex's Lemonade stand to raise money for childhood cancer.
And if you haven't listened to it yet, we did an episode. , just this week, with, , Alex's mom, Liz Scott, and we talk about, , that whole process of the foundation being started, Alex's great story and the continuing work of Alex's lemonade stand. Go ahead and give that a listen, and I think that will inspire you as it did me to be a part of raising money for this great.
All right, today. Today I'm gonna go into an article that was read, written by a chief information security officer and it's Vic Aurora with, , hospital for Special Surgery out of New York City. And the title is ciso, board Relationship and Cyber Risk Reporting.
Let me give you some of this. It's really good. It's phenomenal, in fact. So, , in 15 years at ciso, I've reported to three different boards and each journey has been different. That's a great point. In and of itself, every board is not the same. The makeup is different, the background is different. Some boards were designed to handle the technology and the technology curve.
Some were not, and so you have to take a little different approach. Several years, years ago, I wrote an article about the four questions every board must ask the ciso, and if you haven't read this article, this is worth taking a look at as well. Let me give you those four questions in case you don't get a chance.
, and by the way, this article I'm reading right off of LinkedIn, so if you go to LinkedIn, look at Vic, , Vic, v i k r a n t, , Aurora Hospital for Special Surgery. If you find him, you'll find this post. , anyway, the que question number one is, is there information security framework in place? This was written seven years ago, by the way.
, what is the scope and methodology of the risk assessment? How do you measure the maturity of processes that make up the InfoSec program? And number four, what are we doing to respond to a particular threat that's making headlines today? , so in and of itself a good article worth a read. , today's blog builds on that and explores my most successful journey so far.tion for quite some time, but:
Following the Russia Ukrainian conflict and upcoming cybersecurity requirements for boards and executives by the S E C and New York Department of Financial Services increased the frequency and complexity of my cyber brief. It was clear that it needed, , that we needed to articulate key facts about our threat landscape and the highest levels of our organization in order to enable effective risk oversight.
To this end, the audit committee and senior management agreed to take a programmatic approach. Over the next few months, we empowered the audit committee to gain an understanding of our risks, remediation plans, and overall threat preparedness. Our eight month. Culminated in a one page cyber risk dashboard, which was, is updated monthly and made available to the audit committee via a self-service option Based on our experience during this process.
Here are my four key takeaways. Number one, create an alliance. Identify an ally on the board who can help you understand the board's expectations and understanding of cybersecurity afterward, put a plan in place to raise their level of understanding and meet their exact expectations. The CISO's risk reporting.
Journey is collaborative and most boards are ready to pitch in. Okay. And he talks a little bit more about that. That's a great point. Absolutely. Anytime you're working with a group, you need to find champions. You need to find an ally. Who is going to help you. I had to do this with several physician practices.
I had to do this with several boards. , it's always good. You're not gonna be an insider. You're gonna be, by definition, you're gonna be an outsider coming in to present whatever your level of expertise is. Find somebody who is an insider who can help you to navigate it. And, , not knowing where the landmines are is, , is a dangerous way to go about things.
Number two, pretty slides. Not really. , those are his words. Pretty slides, dot, dot, dot. Not really. Even though colorful dashboards and big four pre presentations are desirable, they're icing on the cake and not the core Board members are voracious and analytical readers. So explain everything in plain English as a narrative.
Additionally, ensure you have defensible data and analysis. Absolutely, absolutely, absolutely. , don't spend, I mean, professional slides. Absolutely. Pretty slides. Don't waste your time. , one of the things I did pretty often with our committee members, , in between meetings and whatnot, was I would shoot them articles.
I would read really, , interesting articles or, , articles about, let's say a significant brief that has happened in healthcare, maybe an analysis of that breach and how it came to be. I would send that in between and that would form the foundation of a conversation they might. On the board, at the board level, or at the subcommittee level, or something they might ask me questions about when I went into the meeting.
Okay. Number three, teamwork is vital to security. Despite the cliche. A CISO is responsible for cybersecurity and risk management, but depends on various stakeholders outside his or her team for success. So buy-in from everyone is not just essential, but m. , right? So it's a team sport and he's right. It is a cliche, but it's absolutely true.
So you go past the cliche when things are true. In our case, my immediate sounding boards were the CIO and the corporate compliance officer. Once the threat. Once the threat threat, once the three of us agreed, we shared everything with the audit committee chair and then the ceo. Prior credibility and risk briefing.
Cadence with the CEO helped tremendously. Also, given the CEO's vantage point, his input improved contextual relevance. There was also sections of the white paper that needed information from the CFO and technical sections that required feedback from the cto, chief legal Officer, chair of our information security steering group, so forth.
And so you get the picture. , Complex, it's, there's a compliance group, there's a legal group, there's financial implications, there's operations. COO wasn't mentioned here, but COO is important. , cto, obviously, , CEO as well, and obviously the cio CISO relationship's. So vital. , let's see. And then the last thing he has here is deliver a minimum viable product.
I love this point, by the way. While all this collaboration, preparation, and education are essential, it is a, it is a considerable time commitment for various directors and executives. A quick win is necessary to maintain momentum. I'm a huge fan of quick. , get that quick win outta the gate. When I became a CIO at St.
Joe's, , I look, I wasn't gonna create a quick win overnight by myself. I went into all the projects that were going on and talked to all the leaders, and I found, , one specific project that had all the elements I was looking for. It was ready to go. It had gotten lost in the shuffle. It did not have funding, but it was well orchestrated.
Great leadership team, , really, , they had a good implementation plan and they had already, , socialized the entire thing with the physician group and it was gonna impact the most important group for me to get in front of, which was the physician group and make their lives easier. And so they had it all ready to go.
All I did was give them the. . I mean, we went through, , the various things. I analyzed it, we looked at risk, we talked to the various teams. But it was something that within 30 days of me becoming CIO gave them the money. They went to the races and it was a huge success. And it was a quick win, , and gave us momentum for other things that we were trying to do.
So right out of the shoot, you are in a good, , position. Quick wins are, . All right, so what's the quick win you can get with the board in this for us? The quick win was a one page cyber risk dashboard that the audit committee was waiting for with eager anticipation. Based on the sessions, we identified 10 categories that reflected organization cyber risk, readiness, and strategy.
Of course there was a corresponding white paper with clear definitions, targets, and industry benchmarks for each category. The dashboard dashboard was aligned with the NIST cybersecurity framework and broken down into the following three sections. Maybe. Another reason I love this is that's exactly what we did.
We used the NIST framework. We created a really easy to understand dashboard five. , you know, and it was red, yellow, green, so it was pretty easy to understand. Here's some of the things they had on their dashboard. Strategic risk. There are systemic issues that are leading indicators of risk using the healthcare analogy.
These are chronic conditions such as blood pressure or diabetes, which can cause harm eventually, if not managed well. So strategic risk. Identifying those, there's operational risk. These are the day-to-day risks due to the failure of people, processes, technology, or an external event. and represent lagging indicators of risk using a healthcare analogy.
These are conditions such as a broken angle or infection requiring an immediate doctor visit. I love the fact that he's using healthcare terminology to explain cybersecurity. This is so contextually relevant. It is so well done. , so we have strategic risk, operational risk, and then program maturity.
The program maturity outlines independently assessed effectiveness of key controls. With the Ness Cybersecurity Framework. This represents the organization's overall threat preparedness. Again, using a healthcare analogy, this is like the annual exam or blood work indicative of your overall wellbeing. In some, we leverage collaboration, trust, relationships, and robust data analysis to communicate risk in a way that made sense to our key stakeholders.
There you go, and he goes on. There's more in the article. I highly recommend you go out and read the article. It's on. , I, you know, I'll put a link to it in the show notes and the title is ciso, board Relationship and Cyber Risk Reporting. Vic Aurora, VP and CISO for Hospital for Special Surgery. Great job.
Love the article. Glad to share it with the community. Well, that's all for today. If you know of someone that might benefit from our channel, please forward them a note. I'm serious here. Think of it right now. Who could you forward a note to and say, Hey, you should be listening to this channel. I'm getting a lot out of it.
I'd love to just talk to you about some of the stories that they cover that would really go a long way in helping us to continue to create content for the community and events for the community. They can subscribe on our website this week, health.com, or wherever you listen to podcasts. Apple, Google Overcast, Spotify.
Stitcher and I could go on and on and on because anywhere that a podcast can be listened to, we're already out there. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Sure. Test and 📍 Artis site. Check them out at this week, health.com/today.
Thanks for listening. That's all for now.