As the rising costs of healthcare and prescription drugs negatively impact US citizens’ abilities to manage their health, regulatory bodies have stepped in to ensure that healthcare organizations follow stringent control requirements that reduce inefficiencies and organizational risk (both business- and cyber-related). Hospital systems have become pivotal players in this effort, serving as healthcare networks offering medical facilities, clinics, and allied services, all of which are important components for ensuring effective healthcare management.
The fundamental objective of healthcare organizations is to provide accessible and quality healthcare services. Certain regulatory bodies and controls aim to alleviate the burden of medical expenses on patients, as healthcare costs in the United States have surged, straining patients and providers alike.
In this case study, we focus on one healthcare network provider that earned nationwide recognition for its inventive approach to risk management and healthcare service framework. Distinguishing itself as a comprehensive healthcare network, this organization went beyond the conventional role, extending its services to healthcare benefits administration tailored for various enterprises operating in the healthcare sector.
The organization of study underwent a notable initiative to develop a cybersecurity compliance program that was specifically tailored to meet the control requirements of the organization’s security and IT departments. The individual who led the effort was the cyber governance, risk and compliance (GRC) manager.
The manager, who had more than seven years of experience at the start of the initiative, spearheaded a project to establish a cybersecurity compliance program that would allow the company’s security and IT departments to meet the greater organization’s compliance control requirements and help alleviate unnecessary risk. A major element of the effort required the manager to review current processes and create the cyber line of defense (CLoD). The intention of the CLoD was to help the cybersecurity department streamline IT audit requirements and communicate effectively with auditors, both internal and external. Once formed, the CLoD acted as an intermediary between the internal audit, IT, and cybersecurity teams, helping each business unit identify the internal controls that could be used to improve the organization’s security posture. Further, the CLoD would work hand-in-hand with cybersecurity subject matter experts (SMEs) who could translate the technical features and functionality for any auditors who were less technically inclined and needed assistance understanding how the technical controls map to internal business requirements.
By way of background, a CLoD is incorporated into risk management efforts where it serves the so-called three lines of defense. The CLoD sits between the first line of defense (management and business owners who own risk), the second line of defense (risk and compliance teams who oversee risk control processes), and the third line of defense (audit, which provides independent assurance). A CLoD allows the first line to communicate to the second and third lines in a manner that reduces stress, increases productivity, and reduces enterprisewide risk exposure. The first line of defense, therefore, has the obligation to consult with the second line of defense. Together, they identify and strategize risk management practices that control sources of risk owned by management and business teams.
The purpose of the CLoD, therefore, is to help any department clearly communicate cybersecurity or risk factors in straightforward, non-technical business terms.
Returning to the specific business example detailed in this case study, the CLoD was formed to help deliver security in a way that was both understandable by non-technical staff and repeatable so that the organization could reduce the overall time, cost, and effort needed to meet business goals. The CLoD would also serve as a digital trust chain, which would allow for continuous monitoring and control while offering the internal IT team and auditors the level of independence they needed to be most effective in meeting audit goals and requirements. The processes that were implemented as part of this effort offered a road map that could be followed time and time again. In other words, the CLoD helped develop a step-by-step set of guidelines, based on leading industry practices, that removed the need to start from scratch each time an audit was conducted or a security control needed to be implemented.
Challenge
The manager of cyber GRC started her career as a data analyst before moving into roles as a security operations center (SOC) analyst and threat modeler. After gaining more than a decade of experience and obtaining three post-graduate degrees, she began to move into more senior roles. At this point, it dawned on the manager that no one in any of the enterprises she had worked for had explicitly indicated that there were IT control requirements that had to be met. Instead, she and her teammates focused on known problems and technical issues, but were not in alignment with any requirements, guidelines, or frameworks that should have been followed for the benefit of the enterprise, customers, or stakeholders. The lack of communication about control requirements and standards led to misalignment with business goals and compliance requirements.
Solution
At the time of this realization, the manager was working as a team manager of cyberrisk and controls in the healthcare industry. The company was going through a System and Organization Controls (SOC) 2 engagement, so she met with the internal audit department heads to try to align processes and controls. But as they were discussing the SOC 2 audit, it was decided that the security and IT teams needed to develop documented control self-assessments (CSA) processes to keep them on track. Together, as a newly formed CLoD, the manager and the internal IT team created new processes and process documents to more easily meet requirements (which could be mapped back to the control requirements) and do so in a repeatable manner. This process allowed internal and external auditors to maintain a level of independence never before seen at this organization.
In addition, the teams began mapping internal process and technology requirements to the “why.” In other words, the members of the CLoD wanted to ensure that IT, security and audit teams understood the reasons behind the detailed processes and controls so that the staff did not feel as though they were merely checking boxes or conducting exercises to fulfill arbitrary requirements. They wanted everyone to know how the processes and controls made a demonstrable difference as to the efficiency, profitability, and operational status of the organization. In conjunction with building CSA processes, the CLoD built an annual training program for all line-of-business managers across the company. The goal of the training was akin to the process documentation project: to help line-of-business managers and executives understand why technology and audit processes and controls needed to be implemented the way that they did. As intermediaries between strategy and technology, the CLoD team was in the best position to assist with building training and awareness programs that fit both technology and business needs.
Results
These activities allowed for an overall culture shift for the security, IT, and audit teams. The processes helped create a level of resonance and clarity for the controls that had not previously existed at the company. Not only did these processes and trainings help establish a culture of accountability, but they also resulted in the team’s ability to close long-standing audit findings that had never been addressed.
With a clearer understanding of why work was being done, and well-defined processes for getting it done, team members felt more comfortable taking greater initiative and working autonomously while continuing to collaborate with colleagues.In addition, using the new processes, the team was able to assess downstream effects of repeatable and documented processes. As a result of their dedication and commitment, the technology and security teams were able to not only identify, but also fix audit findings. The processes and improved communication between teams gave the technology staff the skills, processes and support needed to do their best work.
An unexpected result of the CLoD’s work was an increase in confidence of the members of the technology and audit departments. With a clearer understanding of why work was being done, and well-defined processes for getting it done, team members felt more comfortable taking greater initiative and working autonomously while continuing to collaborate with colleagues. The manager started seeing increased confidence in her team members because they now had the knowledge and a framework that would allow them to be more effective and efficient in their roles, giving them a path to greater career opportunities and achievement.
Metrics
The result of forming a CLoD and all the elements that go with it—including developing processes and procedures for controls mapping, team collaboration, communication, audit remediation, and technology governance—allowed the IT security and compliance team to evolve from the lowest ranking team as measured by the Gallup Employee Engagement Score1 to one of the highest ranking teams in the organization. The team that had started with high 2–low 3 rankings achieved a high 4.98 Gallop ranking in less than a year.
The efforts of the CLoD helped the manager develop a way for security, compliance, and audit teams to adhere to strict processes, communicate those processes companywide, and adapt to change.
In addition, the formation of a CLoD allowed the company to improve upon its risk category. After demonstrating the positive change introduced by CSA, including the creation of an outcomes-based program, the manager was able to gain executive support to improve the company’s phishing awareness program and bring compliance, security, and accountability to the entire organization. As a result of a formal security awareness program, the company’s security posture rating increased from approximately 40 percent efficacy at identifying and managing phishing attempts to 91 percent efficacy (figure 1).
By giving employees more context, more knowledge and improved skills, the company was able to institute a culture of accountability. By explaining the why behind certain controls and processes and remaining vigilant when it came to repeatable processes that could produce demonstrable results, everyone working for the company was able to align with overarching business goals and see how their own independent work helped achieve those goals.
Further, the practices and processes developed by the CLoD allowed for repeat audit findings to be remediated and closed, resulting in reduced organizational risk. Having a defined program allowed the security team to evangelize cybersecurity best practices and educate people on the bigger picture of why cybersecurity matters to the business. Initiating, gaining support for, and implementing the CLoD took hard work and was not immediately embraced by everyone at the organization. Nonetheless, audit results have improved so much that it is hard for anyone who initially objected to deny the process.
Finally, another significant achievement that resulted from the CLoD’s work was the enforcement of a companywide acceptable use policy (AUP) that required all employees to review and agree to the terms every year. The AUP covered company-issued devices, meaning that the organization can now place geolocation tracking on devices (to reduce risk for lost or stolen devices and identify unauthorized use), monitor data on devices (to ensure data compliance), and institute a user behavior analytics (UBA) program to identify patterns and report on areas of human risk.
Having a defined program allowed the security team to evangelize cybersecurity best practices and educate people on the bigger picture of why cybersecurity matters to the business.The UBA program in particular allowed the security team to gain an initial understanding of how employees perceived their own security postures. Through this assessment, the IT security and compliance teams were able to observe employees’ online behavior and identify the biggest security and compliance risk factors. Unsurprisingly, what they found was that their biggest risk was people, namely people using technology in ways they should not be, either unintentionally or intentionally.
Nonetheless, monitoring and correcting unsafe user behavior allowed the security team to work with employees, train them in stronger security and technology best practices, and, ultimately, decrease the number of employee issues resulting from a lack of knowledge.
One year after implementing the behavior analytics program, the manager says that employees proactively reported to the security department when they saw something suspicious or when they wanted to ask about acceptable user behavior.
Professional Challenges Impacting Business Challenges
The manager faced numerous governance, process, and operational challenges related to security, intrateam collaboration, and executive buy-in—all familiar challenges to security professionals. On top of this, however, she felt the added pressure of being a younger woman in a leadership role working in industries traditionally dominated by men: security and healthcare.
The manager felt that being a woman in male-dominated fields required a level of commitment and strength. Although the manager did not lack confidence, as a younger female professional, she struggled to get the attention and respect of her male colleagues. Rather than focusing on the negatives, she decided she would pursue knowledge and experience that would make it hard for anyone of any gender or age to question her background. Thus, the manager pursued multiple post-graduate degrees in an effort to demonstrate her knowledge and dedication to hard work. These degrees spanned business leadership, security, healthcare, and psychology. She felt this combination provided a broad, yet deep, understanding of all the elements it would take to thrive as a security leader in the healthcare industry.
Mentoring Others in Continuous Learning
The manager also resolved to use her experience as the underdog to inform how she would lead her team. She worked closely alongside her direct reports and took every opportunity to let her team members know that she supported them through obstacles and difficult working situations. As a result of this support, the team gained confidence in its abilities and mirrored the manager’s pursuit of continuous learning. This resulted in a higher quality of work and greater accountability in the team members’ roles and responsibilities. They knew they were trusted to work autonomously, without a manager who felt she had to double check everyone’s work and be granularly involved in every project. The team members had their own voices and were empowered to make decisions, speak up, and do their best work to be effective for the company and for themselves.
To further improve their individual skills and grow as professionals, the security team members found that earning certifications and certificates has been beneficial. Some of the most popular options include the Certified Information Systems Auditor® (CISA®) certification, the Certified Information Security Manager® (CISM®) certification and the Certificate of Cloud Auditing Knowledge® (CCAK®). The opportunity to take courses and become certified in various areas allowed the team to constantly expand its knowledge while keeping up to date with the latest processes and techniques in security and auditing. Most importantly, team members felt that they could accomplish more not only technically, but also in the areas of leadership, communication, and other soft skills that are a critical part of running an effective department. The combination of “people ops,” business acumen, and diversity lays the path for diversity of thought and a more well-rounded organization.
Endnote
1 Gallup, “Gallup’s Employee Engagement Survey: Ask the Right Questions With the Q12 Survey,” USA, https://www.gallup.com/workplace/356063/gallup-q12-employee-engagement-survey.aspx
KATIE TEITLER
Is a senior product marketing manager at Axonius where she assists with the company’s cybersecurity asset management product messaging. She is also a co-host on the popular podcast Enterprise Security Weekly. Prior to her current roles, Teitler was a senior analyst at a small cybersecurity analyst firm, advising security vendors and end-user organizations and authoring custom content. In previous roles, she managed, wrote, and published content for various research firms including MISTI (now part of the CyberRisk Alliance), a cybersecurity events company; and was the director of content at Edgewise Networks, now part of ZScaler.