As cyberattacks become increasingly sophisticated – and inflict more damage on health systems – an interesting trend is happening with IS leadership roles. Whereas in the past, it wasn’t uncommon for CISOs to “back into the role,” nowadays, the path is becoming much more linear, according to a panel of experts.
“The evolution and maturity of security as a discipline and as an industry means that we’re moving away” from situations in which CISO jobs are created and given to “the first person who raised their hands,” said Michael Meis, Associate CISO at University of Kansas Health System. Now, that’s no longer the case. “The CISOs of tomorrow are the ones who really embrace the role as an objective on their career path and intentionally build skills towards getting there.”
During a recent episode of Unhack the Podcast, Drex DeFord, President of the 229 Cyber & Risk Community, spoke with a panel of leaders to identify those key skills and discuss how aspiring leaders can develop them. Along with Meis, the group included Doug Fee (Moffitt Cancer Center), Dee Young (UNC Health), Aaron Weismann (Main Line Health), Hugo Lai (Temple Health), Jesse Fasolo (St. Joseph’s Health), and Shawna Hofer (St. Luke’s Health System).
Starting points
What DeFord learned is that because the CISO role is relatively new, there are myriad avenues that can be taken to arrive there. One of those, interestingly, is the help desk, which was the starting point for several of the speakers, including Fasolo and Lai.
“At that time in my career, there was no cybersecurity and there was no CISO,” Fasolo noted. “It was ‘turn it on and make it work, and shut it off when you’re done.’” There was, of course, the help desk, which afforded Fasolo the opportunity to learn about the various roles and departments that are critical to the success of a health system.
Lai agreed, adding that his time at the help desk paid off immensely. “That position allowed me to work with different stakeholders, understand IT infrastructure and the day to day operations, and put perspective into cybersecurity,” he said. “Cybersecurity is about concepts. How you put context into those controls makes a big difference to stakeholders.”
The other role that helped set the stage for his eventual CISO position? Doing consulting work, which helped him learn how to build relationships and gain an understanding of large enterprise environments, while being exposed to a host of different technologies. “That certainly helped me get to where I am today,” Lai added.
“The most qualified”
What's been just as (if not more) important as how leaders got their start, however, is what they did next. Fee, for example, never intended to enter the security realm; his aspiration was to be a mathematics professor. But when it became clear that wasn't going to happen, he surged ahead, pursuing a master’s in computer science and immersing himself in IT. And when an opportunity arose to become a HIPAA expert for the Department of Medicare and Medicaid Services at the State of Kentucky, he seized it, and eventually landed the CISO post at University of Kentucky HealthCare. “I loved it and I never went back from that point,” Fee stated.
Similarly, Weismann had a different inclination. Although he “always wanted to be in technology,” he found it difficult to gain expertise as an attorney. Fortunately, he had the foresight to earn a Master’s of Law in IT Licensing and Global Intellectual Property Law, which helped him land a job with the Commonwealth of Massachusetts. In that role, “I was able to interact with technology and our technical staff on a regular basis and I quickly became pretty much the sole attorney supporting our information security office.”
Doing so enabled him to build valuable expertise in a number of areas, including audits, which proved pivotal. “We were a heavily federally regulated organization because of all the federal contracts we had and all the federal programs we administered,” Weismann noted. “I was able to wiggle my way in by building out some of that audit function, supporting that audit function, and then later moving over into the technical side.” By the time he accepted the CISO role at Main Line Health in 2020, he was well-positioned to lead cybersecurity efforts.
Although the panelists certainly had diverging paths – and none actually set out to become CISOs right out of college – they all eventually reached that point by putting in the hard work and constantly striving to be better. “It’s interesting,” said DeFord, “nobody said, ‘I want to grow up to be a CISO.’ They meandered their way through their career, and at some point it became clear that, ‘you’re the person who’s probably the most qualified in our organization to take this responsibility.’”
Expert advice
Of course, each of the panelists were fortunate enough to have mentors throughout their journeys – and smart enough to listen to them. Below are some of the key pieces of advice they shared.
It can also discourage security teams from taking the types of risks that are necessary for continued growth. The key is “finding the right balance of wanting to do a great job but also being flexible and agile,” Hofer noted. “We have to learn and grow. You can’t do that when you're so focused on making everything absolutely perfect.”