What's it take to be a successful CISO? Mark Dill, former longtime information security director at the Cleveland Clinic, says it comes down to being patient, persistent and perceived as practical.
"Operating within the culture boundaries of an organization is key," says Dill, who recently retired from the Ohio-based integrated healthcare delivery system and joined Kansas-based consulting firm tw-Security as a principal consultant.
"I've always strived to mature an organization, and that takes time," he says. "Technically there are a lot of controls, but I focus on the SANS [Institute] top 20."
In addition to their day-to-day security responsibilities, CISOs can't lose sight of their regulatory responsibilities, including HIPAA compliance, he says in an interview with Information Security Media Group.
"You have to submit plans that are aligned with the business objectives that definitely demonstrate how you're going to comply, and [make sure] that everything you ask for aligns with either a legacy threat you haven't dealt with yet or an emerging threat," he says. CISOs need to examine the root cause of breaches that have hit other organizations and then determine if their organization faces similar risks, he adds.
It's also important that CISOs avoid thinking too narrowly, he says. "Plans need to be enterprisewide - not just at one location. And hospitals that are going through an acquisition phase are going to be challenged with that because they are going to inherit the next acquisition's strengths and weaknesses, and that has to be dealt with."
CISOs also need to be ready to answer tough questions from their board of directors, he says. "CISOs are being asked a new set of questions by the board about cyber preparedness," he notes. "They're going to want to know what's most likely to happen ... given an organization's particular strengths and weaknesses - and, most important, what [is the CISO] going to do about it."
In addition to learning how to communicate with the board, CISOs must build rapport with peers and those in the trenches within the organization, he says.
"When you can always articulate the value of your program in unexpected ways or its contribution - that is important," he says.
It's also important for CISOs to recognize when it's time to cut the cord on outdated processes, practices, technologies and skills, he notes. "If something ceases to add value, whether it's talent or a process that's not working, or an old tool, you need to make tough choices and cut it up and free up opportunities to afford new things."
In the interview, Dill also discusses:
- Tips for dealing with business associates;
- The biggest privacy and security challenges facing healthcare entities in the year ahead;
- Other advice for information security professionals aspiring to become CISOs.
Before joining the consultancy tw-Security in late 2015 as a principal consultant, Dill worked in information security at the Cleveland Clinic for more than 20 years, including the last 15 as its director of information security. In that post, Dill was responsible for the deployment of information security and disaster recovery best practices and regulatory compliance. He has more than 25 years of IT and technical management experience, with a focus is on implementing strategic and tactical security initiatives.