When it comes to security, there are more than enough tools on the market that tout the ability to shore up the ever-increasing number of threats. That’s all well and good, but simply relying on those isn’t nearly enough.
“There is kind of a misconception among C-suite leaders that security is just an IT problem that can be addressed with tools,” said Allyson Vicars, Associate Director of Health IT Research for the Advisory Board. “That’s not the case. Tech is definitely a necessary security tool -- and it shouldn’t be deprioritized or underfunded. But there are other tools in the ecosystem that can determine how staff get the most out of those investments.”
Three major areas can support those security tools: governance, C-suite engagement and third-party risk management. Especially for third-party risk, these issues will come to a head this year and “organizations need to get a bigger hold of [these functions].”
Within those areas, process and education can help the entire organization better understand the threat environment, she explained. A good place to start is with training and testing, including internal operations like phishing campaigns, business continuity plans, audits and incident response.
IT executives can make a huge investment to support the tools and communicate those opportunities to the boardroom to get the necessary support. This includes framing the threat environment in a way that C-suite members can better understand and support IT.
“You can’t really do just one of those things,” Vicars said. “It’s a layered approach.”
To Vicars, it will likely take a series of conversations. IT leadership can share results of testing with CEOs and other board members. Those with multiple facilities can show the results by each facility or department.
“What the C-Suite measures and tracks is what is going to get them to improve and convince them to invest,” said Vicars. “The goal is to see these numbers go down over time. And it gives them something tangible to track.”
Next, the C-Suite can ensure training and testing is ongoing within the organization, she explained. And on another level, they can actually commit to participating in those exercises. Some organizations exclude C-Suite or doctors from training, “but that shouldn’t be the case.”
“Some organizations will have the C-suite sign a pledge that says if they’re caught during a phishing test that they’ll do the same remediation training,” said Vicars. By getting top executives involved, it can tackle pushback issues. That way it’s not leadership against staff -- they’re all in it together.
In one instance, someone on the board was caught during testing and became a vocal advocate for improvements in security and education, explained Vicars. “It was a valuable teaching moment for the board that everyone is susceptible.”
“There are still a good amount of organizations that think you can just technologize your way out of it. There’s a lot of funding to shore up deficiencies as an industry, but I think there’s still a lot to go in terms of that ecosystem,” Vicars said. “We still need people in governance, still need to do better with third-party management. There’s been an upswing on getting C-Suite and board engaged, but we need to do better.”
Vicars will share how to build an enterprise-approach to mitigating risk at the HIMSS Media Security Forum on June 11 in San Francisco.