Why Focusing Too Much on Today's Cyber Threats Is a Bad IdeaSecurity Expert Bob Chaput on Taking a Risk Management 'Long View'
Healthcare organizations must take a long view in their security risk management programs rather than focus on the "cyberthreat du jour," says security expert Bob Chaput.
"Cyberthreats are obviously evolving. In 2016, if it was the year of any particular threat ... it was certainly the year of malware, and more specifically ransomware attacks," says Chaput, CEO of the Florida-based consulting firm Clearwater Compliance. "But what continues to be a very foundational concern is the insider threats, whether it's incidental or malice with intent. ... Security programs involve policies, procedures, people and reasonable and appropriate safeguards. It's been shown .... that the weakest link is individuals."
In an interview with Information Security Media Group, Chaput warns against a focus solely on current threats. "If we get too focused on the threat du jour or the vulnerability de jour ... if we get too fixated on the issues or the items of the day, it is going to compromise our ability to take the long view."
While organizations do need to be prepared to deal with issues of the day, "as you stand up to do a risk management program, it must transcend today's information assets ... threat sources ... threat events ... vulnerabilities ... controls. All of those key ingredients in an information risk management program, and specifically in doing risk analysis, are going to be changing all the time."
In the interview (see audio link below photo), Chaput also discusses:
- Other common missteps that many healthcare organizations make in their approach to security risk management;
- Corrective steps healthcare organizations can take toward having a more "programmatic" approach to security risk management, including implementing the National Institute of Standards and Technology cybersecurity framework;
- Why focusing on compliance with the HIPAA Security Rule is an inadequate approach.
Chaput has nearly 40 years of combined healthcare and cybersecurity experience, managing complex projects for more than 500 clients, including large healthcare delivery networks, hospitals and health plans. He holds several professional and technical certifications, including the Certified Information Systems Security Professional (CISSP), Health Care Information Security and Privacy Practitioner (HCISPP), Certified in Risk Information Security Controls (CRISC), and Certified Information Privacy Professional/US (CIPP/US).