One of the biggest misconceptions around cybersecurity leadership is that it’s all about breaches. Although the goal is indeed “to reduce the likelihood of a breach as much as we can,” according to Duc Lai, CISO and VP of the University of Maryland Medical System, that’s only a piece of the puzzle. “We also need to think about resiliency – how quickly can we detect, respond, and recover from a cyberattack?”
The biggest piece, he has found, is around risk; more specifically, the ability to accurately communicate it to the board and senior leadership and secure the funding needed to ensure healthcare organizations are constantly improving their cybersecurity posture.
Duc Lai
“In our industry, it doesn’t take long before the status quo becomes obsolete and outdated,” noted Lai. “What we’re doing may be good enough today, but how can we continue to make it better? What else should we be doing?” The ultimate objective is build enough resiliency to be able to minimize the impact of a cyber event and facilitate a quick recovery. “That’s the mindset and the challenge we have.”
During a recent Keynote, he discussed the most critical challenges facing cybersecurity leaders – including the human element, and how the valuable lessons he learned both in the military and his early career helped shape his philosophy.
One of the many hats security leaders need to wear is that of evangelist, according to Lai, particularly around cost. “I like to say that security is a tax that we all have to pay and we all have to contribute to for the greater good,” he said. Providers, however, often already feel taxed with everything on their plates, whether it’s entering notes or looking up patient records. The last thing they want is to deal with security measures. “We need to think about how we as security practitioners can accommodate for that workflow with compensating controls.”
Much of that, he has learned, comes down to a simple, yet critical concept: keeping an open mind.
“You have to understand what your providers, your users, your employees, and your team members are trying to accomplish,” he said. “You have to work with them to be and be flexible and agile in your security controls. That’s going to help you find the balance.”
But it doesn’t come easy. Maintaining that balance is a constant effort that requires a great deal of creativity, according to Lai, who cited a recent example in which employees (especially those working long shifts) requested access to personal webmail. Although they had reservations, Lai’s team worked to find a solution that enabled employees to communicate with family members in a secure manner.
“To me, that was rewarding because we were able to reduce our attack surface while still allowing them to stay in touch with their families,” which in turn can lead to higher satisfaction and productivity.
It’s a compelling example in and of itself, but it’s also part of a larger philosophy that has guided Lai throughout his career – and was put to the test early on. After serving in the U.S. Army (as a West Point graduate) and studying engineering, he took on a role architecting a security program for a financial institution. His agenda, however, quickly shifted when the company was hit with a security attack during his first week.
“I was thrown right into the fire,” said Lai, who immediately locked down the firewalls and installed more advanced antivirus software. Despite the rocky start he remained with the organization for 13 years; at that point, “the security program had matured to the point where we had all of the proper controls in place,” he recalled. “I felt that what I was leaving behind was impactful and would endure. For me, that was a defining moment in my career.”
Like many leaders with military experience, Lai was drawn to healthcare’s mission of serving the community and being part of “something that’s bigger than yourself.” And as he has progressed in his career, it has become increasingly critical to ensure he’s making a positive impact.
“When I think about my legacy, am I leaving behind a security program that can endure and live beyond my tenure?” Viewing it through that lens, he added, can provide leaders with a valuable perspective.
“It changes the way you look at decisions that you have to make, because then you look at the long game and focus less on the immediate fire that you're trying to fight, which we all do every day,” he continued. On the other hand, by focusing their energy on implementing initiatives, improving processes, or strengthening partnerships, leaders can enact changes that can lead to a more secure environment. And that, in turn, can improve providers’ ability to care for patients, which is “the ultimate mission in healthcare.”
© Copyright 2024 Health Lyrics All rights reserved
