CISOs Need to Understand There Are Some Problems That Can’t be Solved. If You Make Everything a Priority, Then Nothing is a Priority
This issue of SecurityWeek’s CISO Conversations with leading CISOs from the critical industries looks at the healthcare sector. In this feature we talk to Cris Ewell, CISO at the University of Washington Medical Center (UW Medicine), and Dan Bowden, VP and CISO of Sentara Healthcare. They provide deep insights into future threats, the role of soft skills, compliance, handling stress and more.
Healthcare has been one of the most attacked sectors for many years. The basic reasons are the value of personal health information (PHI) to criminals, the persistent need for healthcare institutions to invest spare funds into saving lives rather than improving security, and the life or death requirement to keep operational technology running at all times.
The last of these has attracted the ransomware criminals in the belief that healthcare institutions will more readily pay for recovery than risk the lives of patients. In recent years, ransomware and healthcare have become almost inseparable
Just last week, the U.S. government warned hospitals and healthcare providers of an “increased and imminent” ransomware threat, which one expert described as “the most significant cyber security threat we’ve ever seen in the United States.”
Surprisingly, however, neither Cris Ewell nor Dan Bowden consider ransomware to be their biggest future threat. This is reserved for managing the increased attack surface from an expanding mobile and portable workforce – a natural process that has been pushed into overdrive by the COVID-19 pandemic. “Mobility and remote working is where healthcare is headed,” commented Cris Ewell.
Bowden elaborated, “Covid-19 propelled what was already happening – a move towards tele-health services. We went from doing a few hundred video visits a month in February to doing over 50,000 in March and April. Same thing with our digital and mobile apps – by May we had passed our annual goal for mobile app downloads.”
This acceleration toward increased remote working is being experienced to one degree or another by all industry sectors. There is a rapidly expanding number of devices located outside of the corporate network and beyond the direct control of the internal security team. It is happening faster in healthcare than in other sectors because of the coronavirus pandemic, forcing remote working while simultaneously increasing workloads. Remote working will not suddenly disappear with the passing of the pandemic – the economic benefits of reduced real estate costs will not be easily abandoned.
But… “How do we do forensic investigations on everybody at home?” asks Ewell. “I don’t have an answer for that. We’re trying to work through that issue right now. My already proliferated data is now even more proliferated by sitting on home computers. We’re going to have to figure out how we do this with a very mobile and portable workforce.”
And it could get even worse. Just as the pandemic has propelled remote working, the remote working may propel another process – a more rapid expansion of a wider gig economy where companies tap into the pool of remote workers as, and only when, needed. This will undoubtedly have an effect on staff loyalty and create a new threat vector for CISOs to consider.
Of course, the need for rapid realignments in security priorities is constant, which leads to one of the perennial issues faced by CISOs: where in the organizational hierarchy should the CISO sit, to be able to effect sudden, dramatic and far-reaching changes to security posture?
“It depends,” says Bowden. He believes leadership is more to do with the ability to build and maintain relationships, and to lead by influence rather than occupy a particular position. “It doesn’t matter where you are, respect is something you have to earn. You must lead and get things done through influence and by convincing the organization that what you want done is the right thing for the organization. I would say that no matter where you report, if you can’t accomplish those things, you’re not going to be successful.”
Ewell agrees. “As long as the CISO has the ability to affect change, and to really assess the risk and present that to the business, the hierarchy doesn’t matter as long as it is unencumbered.” Having said that, he does not believe that direct reporting to either the CEO or CIO is optimum since both have their own and different priorities – even though he actually does report to the CIO. More importantly, however, he also reports to the Chief Health System Officer, while he and all the organization’s VPs are members of a security executive committee. It is his ability to influence and guide that committee that is essential to his role.
The need for soft skills
This brings us to one of the most essential requirements of the modern CISO – well-honed soft skills. “I actually manage very little,” comments Ewell; “but I need to influence a great deal. That’s where soft skills are important, where you need to have relationships with people like the CFO and business officers and technical officers – you need to have a relationship with all of these people.”
Part of that, he continued, “is you have to be very careful in how you present data; and that’s where soft skills come into play. You cannot keep saying, like Chicken Little, ‘the sky is falling, the sky is falling’; because if you look at our risk, it’s really bad – we’re attacked every hour of every day; but they’re not successful every day. If we go on about yes, you’re going to be attacked right now because we have this one unpatched machine when we have hundreds of thousands of them, pretty soon it’s just noise. And if you keep saying that every time you meet with someone, it’s not going to work.”
That said, sometimes the sky really is falling. It is a simple fact that ‘fear sells’. Fear is probably the biggest single driver of any economy – it underlies the entire security product market; it is used by governments to make onerous legislation acceptable; it is adeptly manipulated by social engineering cyber criminals; and it is an opportunity that can be used by CISOs. A good crisis should never go to waste, but should only be exploited in moderation.
“You can use an incident,” explains Ewell, “to highlight the weaknesses in your posture. and introduce some of the solutions that could be used to bring risk management up to an acceptable level.”
But then there’s the business context. “When you start looking at patient care, it’s really sobering I think for CISOs coming into a healthcare facility. They have to deal with things like, OK you got $100, and we can spend it on new security, or we can spend it on saving patients’ lives. So you have to start really prioritizing, and say every dollar I spend takes it away from patient care. While it’s very important to protect patients’ security and data, there is a balance to be struck; and that’s where a lot of CISOs start to fail,” – the balance between the purpose of the organization and the security of the organization. Soft skills are essential to finding and then ensuring the right balance between security and business efficiency.
Businessperson or techie?
This is the new reality for the CISO – he or she must be part security technician and part businessperson able to understand and accommodate the business realities of the organization. This raises an interesting question: can the modern CISO be a businessperson who surrounds himself with security expertise, or even a security technician who employs MBAs among his or her team?
For the moment, both Bowden and Ewell believe the CISO must combine both skills. “It’s a question of credibility,” says Ewell. “I bring credibility because of my technical background – but CISOs prosper best where they can blend both disciplines.” His business skills help determine whether the engineers are over-thinking a problem; but because “I’ve been in the trenches with them,” he can explain business realities to the engineers and technical requirements to the business leaders.
Bowden agrees, but thinks the situation is fluid. “Three or four years ago, being a techie was good enough – and I think if you work in Silicon Valley for one of the big tech companies you still need to be pretty technical in order to gain the trust and the respect of the CTO, the development team, and so on.”
But outside of the tech companies, the need for business skills is more important. “If you’re working in more service-oriented companies, such as healthcare, insurance, and banking, then you absolutely need good business and communications acumen even more than technical skills. You need to be able to understand the leaders in other parts of the organization, and learn how they speak, learn how they assess risk, and how to model what you’re trying to do into their methodology. The trend is that you need to be better at business, but it’s difficult for those in tech companies because they’ve got to be both.”
Coupled with the increasing need for business understanding is a new need for the CISO – the growing need to be a strategist rather than a tactician. “In my position today,” comments Ewell, “I’m about 80% a strategist and only 20% a tactician. I don’t get too involved with the sharp end, because it might end up with me getting in the way of my team – I just do enough to keep my skill level high enough to understand what everyone is doing.”
The compliance question
The required knowledgebase of the modern CISO has grown beyond technical and business, and now also requires a working knowledge of some legal aspects. The issue here is ‘compliance’. Many organizations have a separate privacy officer, compliance officer, or general counsel who ‘owns’ compliance – but whoever owns it, it is the CISO who must implement it.
CISO attitudes towards compliance are far from uniform – some consider it a boon to security, while others consider it a burden. Bowden’s view is complex. “I believe security enables compliance, but compliance may not enable security,” he says, “That’s the important aspect.” Compliance and security are separate issues.
He gives an example where he had to address PCI compliance. “We had an application that had a critical vulnerability to a DDoS attack. My question was, when the app goes down, can the attacker get to the data. The answer was no. Well, taking the purely compliance route (PCI is about confidentiality far more than availability), I just forwarded the details as an FYI vulnerability to the business owner of the application – but I did not consider it a critical path item to compliance.”
Bowden continued, “For security we believe in the confidentiality, integrity, and availability; so, with my security hat on, I do track and try to manage that vulnerability. From a compliance standpoint, I may not. I’m not one who has an emotional argument that they should be separate, or together, but I think people need to understand whether they are looking at risk through a security lens or a compliance lens.”
Compliance requirements can also be used to move forward security. “In some circumstances,” says Ewell, “I use compliance with federal laws to move things along if it will help my argument; but I don’t drive my strategy by compliance. We are a very compliance-focused organization. There are almost forty different federal, state, and international laws that we try to comply with. So, compliance actually has a higher seat at the table than I do.”
Here he uses his soft skills and relationships so that he stays in control. “I will certainly partner with the compliance owners when I need to drive initiatives. So, I use compliance as a tool, and if I need to use that tool, I absolutely will use that tool. If I don’t, and it doesn’t affect my overall strategy, then I’ll leave that tool for when I really need to have it.”
But it remains a complex issue, and it is often difficult to know whether an organization is compliant or not. HIPAA – central to healthcare – is an example. The requirements are specified, but there is no federal HIPAA auditing. Any organization may say it is HIPAA compliant – and it may well be with security and privacy controls mapped to NIST controls. But proof of compliance or non-compliance only comes after a breach and subsequent governing body auditing. Effectively, you are HIPAA-compliant until proven to be non-compliant after the event.
Stress and advice
There is little doubt that the CISO role is complex, getting more complex, and is highly stressful. Bowden believes the secret to handling the stress is knowing when to let go. “Stress is a huge problem for CISOs,” he says. “I know stories about substance abuse, depression, and anxiety – it’s a tough thing because we all take everything so seriously. And that’s the best and worst thing about us.”
A CISO needs to understand that there are some problems that cannot be solved, at least not here and right now. “As CISOs, we’re all wired to manage risk, and it’s hard to let anything go. But the truth is, if we put one thing down, there’s always ninety-nine other things we can work on and make real progress on. I think sometimes we hang on to things that we’re trying to get done, and we stress over things that at that point in time either we don’t have the resources or the support or the other things we need to move that ahead; but still some of us cannot let it go. What I’ve learned is there are probably ten other things I can go do, and this one will still be here when I come back to it.”
The ability to know when to let something go is important – but this also requires understanding when to push ahead. Here, Bowden’s advice is almost the opposite: “If you believe you are right, you don’t need to wait for permission to act, or to wait for the perfect circumstances before moving forward and making something better. For 80% of the good things I have accomplished in my life, I think it was most often acting on that.” It’s a variation of ‘fortune favors the brave’.
Ewell’s attitude towards stress is a little different – he is one of those rare people who just doesn’t get stressed. “I’ve seen some of my peers being stressed; but it isn’t a great problem for me,” he says: “dealing with stressful situations just never bothers me. It’s a great life.” His position is ‘at will’ – he knows he could be fired tomorrow, for no reason, at the stroke of a pen; and perhaps coming to terms with that helps reduce the stress levels. ‘At awill’ is something we will all need to handle in the future as the gig economy and mobile working becomes more prevalent.
His advice, however, is remarkably similar to Bowden’s advice: you need to be able to let some things just simmer. “You have to be able to say, that’s one problem I’m not going to deal with right now. I’ll wait to see how things play out before I get involved,” he says. “That has been very beneficial over the years. Sometimes, dealing with a problem head on is not the right way to do it – sometimes you must let solutions materialize organically, and for people to come on board naturally. That comes from experience and a subtle knowledge of both the organization and the people in it. If you make everything a priority, then nothing is a priority. You have to be able to say, no, that is just going to sit there for a while.”