Building Habits for CISO and Security Officer Success
by Chris Bowen
Chief Privacy & Security Officer and Founder
This year, I am going to post several pieces exclusively for my fellow CISOs and Security Officers working in healthcare. Our work is daunting. For some of you, the role may be a transition from another healthcare role, or you may be entirely new to healthcare. Over the years, I’ve learned some lessons I can share, especially with those new to the profession. It’s easy to feel stymied by where to start defending the castle when there are so many attack vectors. In this post, I’m sharing some observations about the importance of building good security habits. I’ll also show you some lessons we can learn from athletes who rely on good habits to succeed.
But first, let’s acknowledge where we are at the start of this new decade.
Many of us are still shaking our heads in wonder at all that transpired in the decade that just passed. It seems like just yesterday we were all grappling with the HITECH Act and healthcare's mass migration of paper to digital health records. Back then, we all thought that virtual computing was an incredible innovation. We’ve come a long way since then.
We’ve seen a staggering amount of new data, and with it a seemingly endless number of innovations that just touch the edge of all that is possible. Three major tech giants rolled out new, public cloud technologies. My colleagues and I spent the last decade educating the healthcare industry about how their data could be much safer in the cloud. We spoke to how the security and redundancy available in the cloud could surpass any capability brought by existing data centers in the basement, or colocation facilities. These cloud advancements were due in large part to unsurpassed investment by AWS, Google, and Microsoft.
Today, security officers are faced with exciting and challenging innovations like cloud platform services, serverless technology, big data, machine learning, containerization, artificial intelligence, and the evolution of quantum computing. What was science fiction or Star Trek a few years ago is now commonplace.
With the good came the bad, however, as the number of healthcare data breaches reached just under 3,000, victimizing over 230 million lives since 2009.
That's 66 percent of U.S. citizens having to live in fear that their health record was compromised, used for unauthorized purposes, or that their medical identity was stolen. This recent article from Security Boulevard makes clear the cost to those victimized.
Though the healthcare industry continues to advance technologically, we need to be able to translate that to better data protection. The good guys have grown overwhelmed, or complacent, or distracted (I.e., not training and monitoring for phishing attempts on employee emails) while the bad guys have gotten much more inspired and sophisticated. The industry needs to take up arms and fight back to protect patient privacy. That said, there are smart ways and futile ways to tackle giant challenges.
A smart way is to start building good habits. We all know that building habits takes work and time. Building good habits also takes intention. Here are four strategies for habit-making and goal setting to help security officers succeed instead of fighting unsuccessfully against the cybercrime machine like Don Quixote. We can borrow from four habits successful athletes use to reach their peak performance.
Develop Micro-strategies and Tactics
It’s okay to have a big, hairy, audacious goal. Books including “Built to Last: Successful Habits of Visionary Companies,” by John Collins and Jerry Porras talk to the importance of aspiration in direction setting. Your company should have one and it should be clearly articulated. But that doesn’t wrap up the challenges of day-to-day life for a CISO or Security Officer. If you are an athlete and you want to break a world record by running a marathon in less two hours like Eliud Kipchoge did last year, it’s safe to say you have to attack the race in smaller increments first.
Say your marathon is that you want to eliminate all of the vulnerabilities in your environment, for example. That’s a big, hairy, audacious goal. Without having some micro strategies or tactics to get there, you are going to get lost in the process and not be much ahead—if at all—by the end of the year. Instead, set smaller, achievable, accountable goals and create lasting cybersecurity habits that will serve you and your organization. Perhaps it’s setting—and not wavering from—your cadence of patching. Perhaps it’s rigor around employee training to recognize a cyberattack before they click that link. Or maybe it’s setting aside one hour every single morning to review ports. Build routines that mechanize some of the necessary work into smaller, achievable daily habits.
Eliminate the Need for Excessive Decision Making
We’ve all had those days where you feel like your head is going to explode because there are so many things happening and so many decisions to make. At our company we call that “VUCA” (look it up!). Scrutinize your work and see what you can do to get rid of excessive decision making. Here’s an example from a not-professional athlete, but it’s training related. I’m a 5 a.m. Orange Theory Fitness guy. If I wake up and then decide to gather my workout clothes, towel, heart monitor, energy drink, etc., there’s a good chance I’m either late, or worse I decide not to go. I’ve made half a dozen decisions before I reached for my car keys. And there’s a likelihood I may forget the towel, or monitor, or cell phone. It’s a repetitive task, so now at night I just lay out everything I need. I wake up ready, execute my routine and free my mind to burn some calories. Look at your work-day. What are you doing every day that could be made simpler?
For example, every day your team has things they do on the security front. Make a list. Have your team work the list rather than starting from a blank white board of what to do every day. One of my favorite books is the Checklist Manifesto by Atul Gawande. He illustrates the power of checklists in preventing medical errors in surgery. Imagine taking the guesswork out of your team’s day-to-day. If you can combine a meaningful checklist for each role on your security or privacy team, and then apply automation to enable your smart metrics to show up in the right place at the right time, you have added significant value to your company and your customers.
Plan and Visualize Your Process
We’ve heard from so many golfers – they have to “see” the ball to the pin before they start their backswing. If I’m about to tee off on a golf course and I visualize a nice, easy straight shot, chances are I’ll hit one. But if I allow myself to see that desert off to the right, or the house off to the left, chances are I’ll be doing the walk of shame to retrieve my ball from one of them. There’s been a large body of research about the positive effect of visualization. It’s not just for athletes. Positively visualizing the outcome of your security processes can help security officers develop better security hygiene habits. Thinking through the individual steps of a larger process can be helpful to reduce anxiety and the feeling that tasks are too daunting. For example, maybe you have discovered some risks that seem impossible to reduce, like 1,000 servers that are behind in patching. Try to visualize how automation can help you, then take the first steps. Envision small daily goals being achieved. Celebrate your team’s wins every week.
Examine your Security Hygiene Habit for Gaps
One of the other benefits of visualizing your processes is that visualization will help you find out where things are breaking down. In any fast paced, high-growth company, you must fail fast. Think of the football or soccer team watching the videos of their last game. Their coach can narrow the scope to a single play that was pivotal to the game’s outcome. They can watch the play and see where communication or planning broke down. By taking time to look at your processes in smaller increments, you will see that X continually struggles at Y, and your team can iterate and fix the problem. Failing fast is important.
Once you have the basic good habits down for the repetitive day-to-day aspects of your job, you’ll have some freed time and thought to focus on some of the most pressing issues CISOs and Security Officers face – like data sprawl. There are innovations and technologies emerging that can help you reel that in as part of your larger data hygiene. A PHI inventory is a great start because once you become aware of where your sensitive data is throughout your ecosystem, it will be easier to take small, consistent actions to protect it.
Create a Culture of Continuous Improvement
Another piece of advice is to look not only at your mindset, but also at the people you hire. The coach and the team must be aligned on strategy. Is your strategy to create a culture of continuous learning and continuous improvement? I hope so. Look at who you hire and look past the skills they list in bullets on their resume and LinkedIn profile. Given how fast technology is changing the landscape of healthcare, you’ll benefit from hiring people who want to learn and exhibit intellectual curiosity. Some of the best athletes weren’t picked up for teams because they had perfect form on the ice or slopes. They were chosen because they had perfect heart in that they wanted to improve their game every single day. When you hire based on skills with intellectual curiosity, you’ll build an environment where your team can experiment within safe boundaries with more advanced technology. Create a culture that fosters learning for the team while respecting the need of a culture of compliance, so all eyes and hands are on protecting PHI—not just your eyes.
You can align your team by articulating your goals and action plans through Objectives and Key Results. We use the Lencioni method throughout our organization. It’s our playbook. We constantly measure and iterate against it.
Make creating these good habits part of your goals, and measure against your progress.
As we come into this new decade, let's leave the past behind and with it this historic number of data breaches and records compromised. Let’s focus on a commitment to doing things better and safer. As security stewards, the pressure is on us to do our work smarter, faster, and with constant new technologies and innovations. By building good habits, you’ll be better prepared to succeed. Here’s to a new decade of continuous improvement and continuous learning.
It involves routine. It involves discipline. It involves repetition. Let’s get started.
Find this topic interesting? Learn about the Top 10 Things Every CIO Should Know about the Public Cloud