Not every healthcare organization has the budget for a dedicated information security official, so virtual Chief Information Security Officers (vCISOs) have entered the scene offering new expertise, capacity, even hope for organizations who once bolted cybersecurity onto an existing officer role.
Case in Point: an organization without a dedicated security official
One of our partner organizations feared their cybersecurity posture posed great risk to their growth agenda, revenue goals, and even patient outcome standards. Their resources were always scarce – even for top priorities, so they involved an information security official in a fractional capacity. Why? Because 1) their budget allowed it and 2) cybersecurity risks demanded it.
The organization had named the following teams to participate in cybersecurity: Security Council, Steering Team, IT Security Committee, and they appointed a Security Officer. Each person was assigned this role in addition to the responsibilities of another leadership role – none were solely focused on cybersecurity. They needed to extend the expertise of their leadership team without incurring the budget of an additional executive.
How we helped
A virtual Chief Information Security Officer (vCISO) from CereCore fortified the organization’s cybersecurity program with expertise and healthcare focus. The vCISO worked as an advisor for the assigned security officer HIPAA requires. The partner organization’s security officer owned and operated the security program considering the advice and counsel of the vCISO. The vCISO brought strategic direction, expertise, and capacity to improve the organization’s security program. In this example, the vCISO assisted the organization in three areas:
- defining the cybersecurity strategy
- building cybersecurity resilience
- improving cybersecurity posture (defense against risks and vulnerabilities)
More on vCISOs
A vCISO is an advisor that starts with an assessment of your current security program, compares your current state with the priorities you have identified, and determines strategic direction and plans to achieve those priorities. vCISOs advise on security, resilience, and compliance strategy based on your organization’s:
- Current threats and risks
- Compliance requirements
- Business and IT requirements
- Preferred security framework (such as the NIST CSF 2.0)
- Priorities for improvement
How are vCISOs involved with organizational leadership?
Leadership teams work with a vCISO to define the scope of their work and the anticipated time to accomplish the priorities. They consider HIPAA security rules, findings of a current state assessment, and other requirements to develop an effective security program at their organization. The vCISO then assumes responsibility for the operation of the security program according to the specifications for priorities, budget, staffing, and other resources determined in concert with the leadership team.
What are a vCISO’s responsibilities?
Evaluate the organization’s cybersecurity program. According to direction from the leadership team, a vCISO helps define cyber strategy with a plan of actions to improve the security, resilience, and compliance of an organization’s security program based on:
- Assessment of the current security program effectiveness, scope, maturity, compliance, adoption, governance, and more
- Priorities for improvements determined by a security governance committee which they help create if one does not exist
- Strategies to make improvements according to the decided priorities
Build on existing cyber resilience protocols and measures. Cyber resilience is an organization's ability to continue to deliver its services, despite adverse cyber events. As part of the assessment of the current security program, a vCISO evaluates cyber resilience and makes recommendations based on gaps and industry standards such as in NIST SP 800-160, vol. 2, Developing Cyber Resilient System and chosen frameworks such as NIST CSF and NIST 800-160. Assessment findings are prioritized with input from leadership and incorporated into the cybersecurity program.
Current processes and workflows analyzed during assessment often include:
- Identity and access management
- Security monitoring and response
- Threat and vulnerability management
- Configuration management
- Asset management
- Security awareness training
- Risk assessment and risk management
- Process improvements (such as automation)
- Tactics and support requirements in the event of an actual cybersecurity incident
Improve current cybersecurity posture. Action plans and initiatives informed by a strategy roadmap are developed with timeframes, sequencing, and resources needed to implement systems and workflow changes and to fully operationalize the changes. vCISOs work with the organization to ensure annual security assessments and to formulate detailed action plans that:
- ensure ongoing improvements to an organization’s security posture
- enrich current security standards and protocols including roadmap and policy development
- ensure the organization’s ability to respond to a dynamic threat landscape
- analyze current healthcare security trends to proactively provide the ability to prepare for future developments
Operationalize and oversee cybersecurity awareness practices. Day-to-day, a vCISO helps the organization maintain an understanding of threats to the healthcare sector, communicates that knowledge and assists in the development of plans to reduce the organization’s overall risk. They monitor information relating to threats and risks in the healthcare sector via notices from InfraGard, Cybersecurity Infrastructure Security Agency (CISA), US-CERT, US Department of Health and Human Services (HHS) and others. The vCISO will provide updates to leadership on important changes to the threat environment.
Provide support in the event of a cybersecurity incident. If an organization experiences an event, a vCISO provides guidance on executing incident response plans. No organization wants to turn to a vCISO for this expertise, but the additional capacity and expertise can be a valuable addition to any leadership team if needed.
vCISO Value Summary
vCISOs present a viable option as organizations get creative with their budgets and resources in an industry with the potential for dire organizational consequences in the absence of capacity, expertise, and resources that bring cybersecurity program confidence.
Editor’s note: For their protection, CereCore does not reveal the identity of partners who work with us for vCISO, medical device management, incident recovery, risk mitigation, or other cybersecurity advisory services.
For more information download the Cybersecurity Advisory Services overview.
