The Changing Role of Healthcare CISOsNew Association Helps Security Leaders Collaborate
CISOs are taking on expanded leadership roles at many healthcare organizations, moving from being entrenched in technical issues to becoming more involved in top-level business-related matters, says George McCulloch, who leads the new Association for Executives in Healthcare Information Security.
Increasingly, CISOs - as part of the "CIO suite" - are being asked to address the board of directors without the CIO being present as cybersecurity gains board-level attention, he says. "They're talking to the business about what's going on with threats, and representing the IT group and security function. So it's really changing the CISO role from a technical one - particularly at large organizations, but even small ones - to a leadership role and [one of] communication," McCulloch says.
In recognizing this trend, the College of Healthcare Information Management Executives - whose members are mainly CIOs and other top IT leaders - last August formed AEHIS as a new subgroup to help provide professional networking and education services for CISOs.
"We really want to help CISOs move their communication and other skills to a level where they can represent the function that they have," McCulloch says in an interview with Information Security Media Group. The new group, which has 200 members so far, also helps CISOs to collaborate with their peers on how to address cybersecurity challenges they face, he adds.
Among the biggest frustrations healthcare CISOs are facing is gathering information "to manage the cyberthreats they're facing and what might be coming, and using the tools they have to proactively act on those threats," he says. Another top frustration is obtaining adequate funding because so many organizations have limited resources, he acknowledges.
In the interview, McCulloch also discusses:
- CHIME's recent launch of two other subgroups for chief application officers and chief technology officers, both of which also deal with security issues;
- The cyberthreats posed to healthcare entities by insiders as well as external actors;
- Some of the information security and privacy issues that were most challenging in his previous role as deputy CIO at Vanderbilt University Medical Center.
Since April 2014, McCulloch has been CHIME's executive vice president of membership and professional development, overseeing all aspects of the organization's certification and membership initiatives, including directing the launch of the new subgroups. Before serving as deputy CIO at Vanderbilt, McCulloch held CIO and senior IT titles in organizations ranging from a 200-bed hospital in Northern Illinois to larger organizations in Western Michigan and Central North Carolina.