“We’ve been hacked! Go hire a cyber person NOW!”

Exposing the Mythical Savings of Cybersecurity Avoidance

By Clyde Hewitt, Executive Advisor, CynergisTek
Twitter: @cynergistek

Healthcare executives who wait until they have a serious incident to hire a cybersecurity team have already failed on many levels. A serious reportable breach will likely cost an organization more in real dollars than any mythical savings claimed through prior cost avoidance.

The reasons vary, but generally speaking, large breaches will cost organizations more to mitigate the damages and safeguard compromised patient data than it would to have appropriately protect their organization in the first place. These breaches also put the security and compliance gaps in clear focus for the Board and external interested parties (e.g., regulators). The resulting mandates force organizations to address the gaps quickly, resulting in unrealistic schedules and inefficient actions.

Recruiting top cybersecurity talent after a reported breach will now be more challenging because candidates will recognize the negligent actions of the executive team and question if the organization has a proper security management program in place.

State of Healthcare Cybersecurity
In 2019, healthcare organizations finally surpassed the mythical ceiling cap when the average security budget exceeded 6% of the total information technology budget. For years, that number was in the 3-5% range, but the recent wave of ransomware and phishing attacks has finally started to take a toll at the Board and C-suites levels. In comparison, other industries are spending between 10-15% of their IT budget on security.

Finding the Right Talent
There is a myth that a “cybersecurity professional” is one ubiquitous individual that is capable of doing everything needed to secure the organization. Hospitals have long recognized the need to hire doctors, nurses, and technicians who work as a team to provide patient care. The same principle applies to cybersecurity. It is important to have security architects to design solutions, security engineers to implement and operate those solutions, and security auditors and technicians to monitor the technology and respond to alerts. The pay for these positions varies widely to match the skill sets needed to effectively perform the task. Attempts to hire one person to perform these multiple roles will lead to staff burnout and high turnover rates. It also means that compiling a list of skills needed to complete all these tasks will significantly reduce the pool of qualified talent which then makes recruiting difficult.

A solution to avoid this is to build a security management program, complete with the various skills needed, and show how all the different parts work together as a team. CIOs should work with human resources to develop career ladders, each with job descriptions that show the skills needed. Once this career ladder is built, it is not necessary to fund all of the positions, but it will help with recruiting since less experienced staff will see a future in the organization and not pursue opportunities in other higher paying domains.

This then leads to a discussion on compensation. A recent study published in Becker’s Hospital Review showed the average salary for Chief Information Security Officers (CISO) by state, which ranged from $112K to $157K. The national salary average annually for a healthcare CISO, $153,541, is about 15% less than what CISOs make in other domains, and the top tier for healthcare CISO salaries are 40% lower than the national average for similar skills. These numbers should be taken with caution since they were self-reported in a national survey, and not validated with a skills-based study.

It’s encouraged that each organization seeking to fill a CISO or other security role work with human resources to properly define roles and responsibilities, then establish a realistic compensation package based on national pay rates. Unless an organization is in a major metropolitan city, it’s easier to recruit nationally, rather than locally, in which case local pay scales may be inaccurate.

Hospitals must take a defensive strategy following a breach and should consider outsourcing the cybersecurity roles, specifically looking for temp-to-hire positions. This strategy will allow organizations to assemble a team of professionals quickly following a breach. It also provides evidence to regulators that the senior management team understands the seriousness of the situation, but more importantly, it signals to any potential recruits that the organization does prioritize this effort and has a proper security plan in place.