Today in health IT, we are going to try to answer, me and Drex are going to try to answer the age old question of org structure for the chief information security officer, and we're going to do that in a second here. My name is Bill Russell.
I'm a former 16 hospital system and creator of This Week Health, a set of channels and events dedicated to transform health care, one connection at a time. Today's show is brought to you by Panda Health. Digital health is hard and Panda makes it easier. Quickly and comprehensively vet digital health solutions and be fully prepared and informed for your next meeting.
Panda helps health system leaders make confident decisions about digital health without the complexity and burden of figuring things out on your own. They help you get smarter, faster through peer input, market intelligence, and advisory services. Check them out at thisweekhealth. com slash panda. Uh, Hey, this is not a news story that you find on our news site, but you still check it out thisweekhealth.
com slash news, let us know what you think. And one last thing, share this podcast with a friend or colleague. Use it as a foundation for daily or weekly discussions on the topics that are relevant to you in the industry. A form of mentoring. They can subscribe wherever you listen to podcasts. All right.
Today we're going to talk about that question. Where does the security officer sit? We're seeing a lot of movement in this space. Drex, welcome to the show. We don't usually do a Today Show like this, but this seemed like a topic I should talk to you about.
It's kind of interesting. We, um, this is the stuff that happens.
So the backstage part of this, this is, this is, these are the kinds of things that happen to Bill and I regularly. It's kind of, that's also sort of part of how the whole 229 project came together is that people call us and they ask us questions and then we say like, Hmm, that's an interesting question.
And then I call Bill or Bill calls me and then we have a conversation. And today that phone call wound up here. We're going to, we're going to do a recording.
And so the question is essentially, The Chief Information Security Officer traditionally has reported into IT, but in some cases, like in my case and your case, in fact, we said, you know what, there should be oversight that's other, that's outside of, and so we actually pushed it out into the legal and compliance area, and we We hired a chief security officer, not a chief information security officer, chief security officer, and they oversaw the stuff that happened in my organization.
They were really accountability, oversight, but they were also education, so they took on the whole education banner. So that person and their team not only did audits of the things we were doing and, and helped us in that regard, but they also took responsibility for educating because they had to educate people on physical security.
They were, he was literally a chief security officer, physical security, information security, the whole nine yards. So that's, that's how, but I will say when I came in, Security was under IT, uh, there was a physical security and there was information security. And we brought those two things together.
What's, what's been your experience?
Yeah, well, I, I've never, I haven't been, I'm sitting here thinking about it. I don't think I've been to a place where we brought physical and information together. security together. Uh, my first kind of experience in making that decision was when I was in DC. I was in the Air Force at the time.
I was Chief Technology Officer for Air Force Health's Worldwide Operations and the CCO reported to me and we had There were, there were, it occurred to me at one point in a meeting, I think we were deploying networks in Europe and there was some kind of a problem with the networks and the patching and we were trying to hit a go live date and I said something to the effect of like, I really hope we can hit the go live date.
The CISO offered up the like, look, I think we can write a waiver for those patches so that you can hit the go live date. And for me, that was my first realization of like. If that person works for me and I write their ticket, if I write their annual review or, you know, they're going to do things that are unnatural for them to help me be successful.
And I want them to help me be successful. I need that partnership, but I don't want them to do things that put the organization at risk when they shouldn't. Put the organization at risk. So that's the point at which I said, I think we need to take this person and move them outside of my department. So I don't have even though I'm not trying to influence them, there's just an undue influence that happens in that relationship.
So what are we seeing? Like, we're seeing a lot of things. We're seeing information security officers and technical, uh, chief technology officers come together. We're seeing, uh, we just described this, but I would say, I don't know, more common is probably, it's still the CISO reporting into the CIO. Wouldn't, wouldn't you say it's still more common in that direction?
Yeah, I think it's probably the most common arrangement today is that the CISO reports to the CIO. If you have an organization structure where, um, you know, even in that situation, the CISO's got to report somewhere. Uh, when I was at, One organization, we pushed them out of the department and actually the decision was that the CISO would report to the board of directors.
They would actually pitch all the way around, even the CEO, and have regular direct contact to the board. The board wrote that person's ticket. And so that was one version of the structure. Did
that work? That's interesting to me.
It did work. And a lot of it was because it was the right
person.
A lot of this boils down to relationships, right?
And the right people. So the CISO has got to report to somebody. They can report to, I've been in situations where they reported to compliance that they've reported to legal, um, or they've reported to the CIO. As long as the dotted line connections in the relationships are good enough and solid enough, it almost doesn't matter who they report to.
As long as there's transparency. And the reality that, um, there's never going to be enough resources to get all the things done that are on the risk register. And it's about prioritizing that work and then deciding when and how you apply resources to get the work done. And then everybody's on the same page.
Everybody has responsibility for whatever's happening with security implementations operations.
All right. So. Let's, let's talk about what the structure needs to be in order for it to work. I just said, you know, it needs to be the right person, but it's probably the right, uh, the right framework. So let's start with what doesn't work.
What doesn't work, uh, from, from my perspective is when, like when I came in, I had the chief information security officer reporting into me, which was fine. But what we had was, you know, essentially an external auditor, which it was, they just kept coming in and, and giving us reports, you know, bad grade, bad grade, bad grade.
The CISO was never able to be proactive or strategic. They were just constantly just churning, responding, respond, respond, respond. Trying to close audit results. Right. And it was not, it was not moving. Um, and sometimes when we move that CISO over to compliance, that's what they see their role as. Like, my role is to just point the finger and say, hey, that's broke.
And oh, by the way, this is broken as well. I mean, I, that, that doesn't work. I wouldn't think.
Yeah, I think the, the. The challenge with that is, I mean, ultimately the goal has to be to build a better security program and the security program isn't, I mean, part of it is checking those boxes and making sure that you're complying and do all the things that you're supposed to do.
But a big part of it is building a program where those boxes almost check themselves because you've built a good program that does the things that it's supposed to do. And thereby, You have compliance with the requirements that are being levied on you. And the audits that are being done are finding things that are actually just making the existing program better instead of trying to just put in a hotfix for this or that or whatever, just to try to make the audit finding go away.
Those things usually don't stick, and then something changes later, and then another audit comes in and they say, we found the same thing again. And it's like, yeah, because you didn't really fix the system. You just put a bandaid on that particular issue. And we see that problem over and over again.
So it's really between the person who has to implement the changes and the person who's identifying the problem or setting the strategy.
Um, and when there is not a tight link, either reporting link, if there's not going to be a reporting link, there has to be a strong unwritten contract between those entities of we are, we're, we're bound by the common goal of creating a better program that is. For lack of a better term, it's self sustaining.
Like, it just keeps getting better because we've set up the right rules and the right environment, the right culture, and, you know, the right systems that we are, we're getting better on a day by day basis. Um, the, what happens is when they're other, they're separate, and one's just saying, hey, do this work, and do this work, and do this work, that just breaks down very, very rapidly.
I mean, you know, you wind up with a situation where, depending on how they're structured, again, let's just say it's the CISO telling the CTO, you need to do all of these things. The CTO is also, in the spirit of, unfocused, on, uh, unprioritized work. They have projects, they have daily operations, they have things that are, you know, breaking, so they have break fix, they have move ads and changes because things are always happening in the environment, they have new mergers and acquisitions, and then they have this whole pile of things that this chief security officer wants them to do.
And they know that's important, but everything else they're being asked to do is important too, and so they try to figure out how to juggle that and manage that, as opposed to saying, Let's bring this together. Let's prioritize kind of all the work. Let's understand the risk that let's look at the things that you're telling me to do, which one of those is really like the most risky things, because sometimes in those audits, what you get are things that are, I mean, that's interesting, but the odds of that being taken advantage of actually a really low, we probably should just put that.
Put that fix off or, um, wait until we roll out this new part of the security program and that's when we're going to pick that up and close it. Uh, but if you don't have that kind of a structured conversation, if you don't have that kind of a relationship, it grinds too, right? This relationship gets really bad and it starts to fester and these people start to not like each other.
And that's not good. That's not good for the organization. It's not good for a person. Patients and families is not good for anyone.
Right. And, uh, so this, this is to be continued. We are seeing that CISO and CTO role get smashed together. I like, uh, and the rationale is typically what you just described, which is like, you know, if you put it into one person.
They got to argue
with themselves. Right. They're able to,
they're able to prioritize and rank things. And then say to their team, Hey, I, and literally they have a lens that says, I realize you have all this break, fix and ongoing operations and project work, but we also need to fit this in and they're able to work with the team and create that environment that works well.
You see that
happening more and more too. I mean, it seems like in the last year, I've seen more and more. CISOs become the CTO and um, you know, it's, uh, when you talk to these folks, uh, we have a, we have, you know, one of, member of our community who refers to himself as a CISTO. It's a, it's a, it's a, I'm sure it's a real adventure, but I think it's a lot of.
ability to manage this stuff kind of now centered in one person and, and maybe it works better like that.
You know, it's interesting because the, the question really is, is there a body of work out there? Has anyone looked at this? What works? What doesn't work? And that kind of stuff. I, I wasn't, I'm not familiar with anything that's written or out there.
Um, are, are you familiar with anything?
I know, and I would love to see something like that. If somebody knows of a, I mean, I'll take a white paper, but I would, it would be really awesome if it was some kind of an actual study that said like, this is the structure that makes the most sense and here's why, or here's where all the booby traps are and the various versions of these structures for where a CISO reports to.
Um, I'd love to see that if you've got it. We need a copy of it.
Yeah, that'd be great. Drex, as always, great to catch up with you on a Friday. Uh, and that's all for today. Don't forget, share this podcast with a friend or colleague. Use it as a foundation to keep the conversation going and mentor. We want to thank Panda Health for investing in our 📍 mission to develop the next generation of health leaders.
You can check them out at thisweekhealth. com slash panda. Thanks for listening. That's all for now.