Sutter Health's CISO on how to overcome cultural hurdles to cybersecurity

Jacki Monson, who is also chief technology risk officer and chief privacy officer at Sutter, previews her HIMSS Healthcare Cybersecurity Forum virtual session – where she'll discuss stakeholder alignment and "privacy and security by design."

Jacki Monson, vice president, chief technology risk officer, chief information security officer and chief privacy officer at Sutter Health

Photo: Sutter Health

Cyberattacks on hospitals are rising – healthcare security leaders urgently need to ensure their organizations and the people they serve are secure. But the many decisions and actions needed to achieve security are complex and go well beyond the CISO role.

CISOs must know how to navigate cultural issues and share best practices on how to achieve consensus in their organizations – at all levels – including effective communication strategies to gain buy-in from senior management.

Jacki Monson, vice president, chief technology risk officer, chief information security officer and chief privacy officer at Sutter Health, will be speaking on this very topic at the upcoming HIMSS Cybersecurity Forum, a virtual event held December 6-7.

Her session is entitled "Achieving Buy-In, Changing the Culture around Security and Connecting to the Needs of the Business." Her co-presenters in the session will be Dan Bowden, vice president and CISO at Sentara Healthcare, and Saif Abed, director of cybersecurity advisory services at Abed Graham Group.

Healthcare IT News interviewed Jacki to get a sneak preview of her session.

Q. What are a few of the cultural issues that impede good cybersecurity?

A. There are a few cultural issues organizations are facing right now that impede good cybersecurity. A major one many organizations are working through is the rise of remote work culture.

In response to COVID-19, employees who were used to coming into the office, opening their computers and safely accessing a secured network, suddenly were attempting something different. They worked to ensure their home WiFi networks met security requirements and their workspaces were physically secure – if space even allowed a separate location.

They also had to properly "remote in" to their office and safely manage documents and other issues. On the flipside of that coin, organizations also were scrambling to make changes to their networks to allow employees to engage in secure and efficient remote work.

Organizations balanced this while also managing supply chain shortages on items like computer screens, hard drives and other necessary tools. Employees, who we all know are the first line of cyber defense, also were often faced with the challenges inside their remote work environments. They were helping home school their children or working from home alongside their partners.

These new requirements and distractions created unique security awareness challenges that can be tough to communicate and tackle –for example,  helping ensure employees understand corporate devices are for corporate use only, when perhaps there is a shortage of computers at home.

There also is fatigue – errors are made when employees are tired – and COVID-19 and other events have made the past couple of years an exercise in overstimulation and extra work for many. 

As remote workers are settling in and organizations have adjusted their cybersecurity strategies accordingly, these cultural issues are creating fewer cybersecurity hurdles. However, they remain challenges and will continue for the foreseeable future.

Additionally, we are faced with our frontline workers being very resource-constrained. This means we must continue to find ways to help support them while they support patients and families, all the while reducing organizational risk.

In addition to continuing phishing campaigns throughout the pandemic, we also are finding new ways to mitigate the cyber risk, like blocking access to third-party email and unsecure digital storage locations.

Q. How do CISOs and CIOs overcome these issues?

A. Overcoming the cultural hurdles to cybersecurity requires a multi-pronged attack.

First, we should always align with commonality, in essence, surrounding patient safety and quality with cybersecurity. One thing to always consider: privacy and security by design. Security teams need to engage with the business from day one on projects and ensure privacy and security considerations are contemplated at the start of a project instead of at the middle or end.

The approach helps avoid complicated processes or procedures tacked onto a project at the end. Not only does this help an organization save money, but it also allows for privacy and security to be seamlessly built into an end-product. If we can make privacy and security easy – and maybe even invisible to the end user – people are more likely to engage and comply.

Another way CISOs and CIOs overcome these issues is by finding common understanding and areas of mutual benefit. When cybersecurity is considered a team effort, more people are likely to engage and seek to be part of the solution.

Frame security conversations so the business knows you are seeking partnership. In other words, communicate that you want to help them succeed and prevent things like ransomware and maintain the confidentiality of data.

Help employees see that the security controls and practices you ask them to follow at work can also benefit them in their home lives. When CISOs and CIOs can focus on common understanding and mutual benefit, their teams are less likely to experience pushback.

Q. What are a couple of effective communication strategies to gain buy-in to cybersecurity matters from senior management (non-security level executives)?

A. When communicating cybersecurity matters to nontechnical senior leaders, it is always helpful to focus on the "why" of any request. It also helps to translate cybersecurity issues into the language of business risk. This approach helps senior management see how a strong cybersecurity strategy and program ties to the mission of the organization.

The importance of translating cybersecurity issues into the language of business risk helps gain buy-in because it puts cybersecurity into language senior management understands. Most members of senior management might not understand firewalls or how to reverse-engineer malware.

They do, however, understand that keeping patients and the organization safe are critical. In order to accomplish that, we must mitigate business risk that can create vulnerabilities.

Monson’s session, "Achieving Buy-In, Changing the Culture around Security and Connecting to the Needs of the Business," will air virtually 11:25-11:55 a.m. on December 6.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.

Women In Health ITResource Center

Stay Informed

Subscribe today to receive our FREE monthly e-newsletter