A recent article about information security challenges in healthcare pointed to the lack of resources many security teams report. They face staff shortages, lack of expertise and tight budgets. They find themselves unable to do the work they believe needs to be done.
In thinking about any problem, I always focus on what can be done. The truth is, there’s almost always something that can be done even if you can’t fix the bigger problem. After all, part of risk management is making any risk smaller, so why not approach resource challenges in the same way?
Solving Small Team Concerns
When faced with a small security team, one healthcare organization decided to distribute the security team’s work across the infrastructure teams. Though they had two people dedicated to information security, they also shifted the culture and expectations so that everyone, from the service desk analyst to the desktop analyst to the server and network engineers, knew that security was part of their job. They eventually added the applications leads to the mix to ensure security was truly an IT department focus, not just a security team focus. This had the effect of extending the security team without adding people. And it created numerous added benefits because now managing and monitoring security was not “someone else’s job,” it was everyone’s job.
Update job descriptions, set expectations, train staff in information security fundamentals (according to their job function), auditing and monitoring. Give them the tools to be effective members of the IT department knowing that, in today’s environment, security is everyone’s job. When the server team adopts system-hardening processes and audits those results on their own, security is improved far more effectively than if you have some security team person harping on hardening servers. The same holds true for managing application security. When the apps team understands how to assess, deploy and test for secure applications, security is improved at the point of origin rather than fixing a defect later (and for those of you familiar with Lean, this is a core concept). Building security into the standard work of each team not only teaches them about security in their area of expertise (while adding to their job expertise and often their satisfaction), it enhances the organization overall.
Addressing Lack of Expertise
There is a growing industry of security service providers. Everyone is facing talent shortages, but healthcare can be particularly hard hit because financial margins don’t allow for spending top dollar for talent in a highly competitive field such as information security. Some healthcare organizations manage to recruit and retain top talent by offering excellent working conditions and continuous professional development – but that doesn’t mean you can find, retain or reward those individuals in a tight job market. That’s where professional services can come in. Renting security monitoring, for instance, can be less expensive on an annual basis than adding another person. So, having a 24x7 security monitoring and alerting service may be an excellent approach to improving security without adding additional staff. Look for services you can use on a subscription basis or on an as-needed basis to add to your security program without breaking the bank.
Managing on Tight Budgets
The other major complaint that often arises is lack of budget to purchase and implement new security tools such as network monitoring or user behavior analytics. While these tools provide tremendous benefit when implemented and used correctly, two things are true. Tools purchased are often only partially implemented because healthcare IT has so many spontaneous projects and needs that teams become overwhelmed or distracted. So, buying the latest tool may not really solve the problem. Secondarily, if you lack the budget to buy new tools, your very first step should be to re-assess the tools you do have. Sometimes you haven’t fully implemented the tool or implemented it in the most advantageous manner. Sometimes you have poor processes wrapped around the use of the tool that could be improved. If you’re not fully utilizing what you have, that should be your first effort.
Sometimes you can find add-ons or expansions to your existing tools that may be less expensive than bringing in a whole new software solution. Have your vendors come in and talk with you about what else their solutions can do for you. Sometimes there are no cost or low cost solutions you wouldn’t have considered.
Still other times, if you feel strongly that you need a particular tool, have the vendor help you make the business case. They should be able to provide industry data, comparison data and benefits data. If they help you implement a proof of concept implementation, take lots of notes about the before and after state so you can gather data to make your case.
Get Creative with Training
There are a lot of excellent training opportunities available to enhance the security skills of your team. Some are very expensive, but many are not. Try to negotiate for training dollars or training credits with major vendors when you sign a new contract or large purchase. Vendors will often toss these in if asked. If your expense is limited to travel (and not paying for the course), your training dollars will go much further. Look for online or distance learning options to reduce travel expense, and consider free webinars from industry leaders (ISACA, SANS, HIMSS, etc.) as well as vendor webinars, which may be skewed toward their product but may also educate on the broader topic at hand. Keeping staff trained will enhance their job satisfaction and improve your organization’s security. Additionally, certifications in security or auditing areas add credibility to your work and may help you make the case for more people or more funds.
Make the Business Case
Too often, those requesting additional resources fail to make the compelling business case. Make sure you have put together a concise document explaining the current state, the risk of that state, the proposed solution and why the investment is required. It may not always be approved, but you’re unlikely to get anything you need without it. And, as a leader, it’s good practice to present a professional business case in support of your requests.
None of these ideas will solve the problem of being short-staffed or under-budgeted, but they will help mitigate these risks while you work to make the business case to your executive team about why they need to support these kinds of investments. It’s often hard to fight for dollars to prevent the “hypothetical” event (the same problem exists with business continuity planning). Healthcare executives should understand that healthcare data is at the center of the target for attackers and, ultimately, they need to make the investments needed to keep the organization as safe as possible. In the meantime, you can reduce your risks by taking small, meaningful steps toward your goals.
Author’s note: For additional articles and resources focused on IT leadership, visit Susan’s website, www.susansnedaker.com.