This Week Health
September 18, 2024

UnHack the Podcast Summary: The New Career Path & How Leaders Can Become “the CISOs of Tomorrow”

As cyberattacks become increasingly sophisticated – and inflict more damage on health systems – an interesting trend is happening with IS leadership roles. Whereas in the past, it wasn’t uncommon for CISOs to “back into the role,” nowadays, the path is becoming much more linear, according to a panel of experts.

“The evolution and maturity of security as a discipline and as an industry means that we’re moving away” from situations in which CISO jobs are created and given to “the first person who raised their hands,” said Michael Meis, Associate CISO at University of Kansas Health System. Now, that’s no longer the case. “The CISOs of tomorrow are the ones who really embrace the role as an objective on their career path and intentionally build skills towards getting there.”

During a recent episode of Unhack the Podcast, Drex DeFord, President of the 229 Cyber & Risk Community, spoke with a panel of leaders to identify those key skills and discuss how aspiring leaders can develop them. Along with Meis, the group included Doug Fee (Moffitt Cancer Center), Dee Young (UNC Health), Aaron Weismann (Main Line Health), Hugo Lai (Temple Health), Jesse Fasolo (St. Joseph’s Health), and Shawna Hofer (St. Luke’s Health System).

Starting points

What DeFord learned is that because the CISO role is relatively new, there are myriad avenues that can be taken to arrive there. One of those, interestingly, is the help desk, which was the starting point for several of the speakers, including Fasolo and Lai.

“At that time in my career, there was no cybersecurity and there was no CISO,” Fasolo noted. “It was ‘turn it on and make it work, and shut it off when you’re done.’” There was, of course, the help desk, which afforded Fasolo the opportunity to learn about the various roles and departments that are critical to the success of a health system.

Lai agreed, adding that his time at the help desk paid off immensely. “That position allowed me to work with different stakeholders, understand IT infrastructure and the day to day operations, and put perspective into cybersecurity,” he said. “Cybersecurity is about concepts. How you put context into those controls makes a big difference to stakeholders.”

The other role that helped set the stage for his eventual CISO position? Doing consulting work, which helped him learn how to build relationships and gain an understanding of large enterprise environments, while being exposed to a host of different technologies. “That certainly helped me get to where I am today,” Lai added.

“The most qualified”

What's been just as (if not more) important as how leaders got their start, however, is what they did next. Fee, for example, never intended to enter the security realm; his aspiration was to be a mathematics professor. But when it became clear that wasn't going to happen, he surged ahead, pursuing a master’s in computer science and immersing himself in IT. And when an opportunity arose to become a HIPAA expert for the Department of Medicare and Medicaid Services at the State of Kentucky, he seized it, and eventually landed the CISO post at University of Kentucky HealthCare. “I loved it and I never went back from that point,” Fee stated.

Similarly, Weismann had a different inclination. Although he “always wanted to be in technology,” he found it difficult to gain expertise as an attorney. Fortunately, he had the foresight to earn a Master’s of Law in IT Licensing and Global Intellectual Property Law, which helped him land a job with the Commonwealth of Massachusetts. In that role, “I was able to interact with technology and our technical staff on a regular basis and I quickly became pretty much the sole attorney supporting our information security office.”

Doing so enabled him to build valuable expertise in a number of areas, including audits, which proved pivotal. “We were a heavily federally regulated organization because of all the federal contracts we had and all the federal programs we administered,” Weismann noted. “I was able to wiggle my way in by building out some of that audit function, supporting that audit function, and then later moving over into the technical side.” By the time he accepted the CISO role at Main Line Health in 2020, he was well-positioned to lead cybersecurity efforts.

Although the panelists certainly had diverging paths – and none actually set out to become CISOs right out of college – they all eventually reached that point by putting in the hard work and constantly striving to be better. “It’s interesting,” said DeFord, “nobody said, ‘I want to grow up to be a CISO.’ They meandered their way through their career, and at some point it became clear that, ‘you’re the person who’s probably the most qualified in our organization to take this responsibility.’”

Expert advice

Of course, each of the panelists were fortunate enough to have mentors throughout their journeys – and smart enough to listen to them. Below are some of the key pieces of advice they shared.

  • Keep learning. The ability to “adapt and move forward in your cybersecurity career is really valuable. You really need a mindset of, ‘I must learn,’” said Fasolo. “And with cybersecurity, there’s so much new coming down the pipe that you need to be a sponge at all times,” including  during conversations with vendor partners about the new capabilities of tools and systems. “Every new implementation, every project, every job is an experience and exposure that will make you ready for the next step.”
  • Look outside of security. One of the most valuable lessons Young learned is that “it’s all about relationships,” she said, noting that technologists can often fall into the trap of “fighting for wins within the department,” which can jeopardize relationships. Rather, taking the time to build a rapport and understand the needs and demands of other leaders, particularly clinical and business, “can help you become a better leader within security.”
  • Develop non-security executive skills. While it’s critical for aspiring CISOs to understand how security applies in a technology environment, “the more pressing skillsets are understanding corporate governance – how it’s supposed to work and what it looks like in various types of organizations,” said Meis. It’s knowing “what’s the role of an executive versus a non-executive director and how does that function in a healthy organization, and taking the time to understand finance,” including how revenue is created and how it can be impacted.” Having this knowledge, he added, can help leaders to “spread their wings beyond those traditional security skills.”
  • Lean on SMEs. Part of being a successful leader is recognizing the talent around you - and leveraging it, according to Young. “I have so many experts on my team and other teams that are so much smarter than I ever will be,” she said. “It’s really important to lean on those subject matter experts and allow them to shine within their field.”
  • Focus on influence. What leaders should not lean on are titles, noted Meis, who shared a valuable lesson he learned while serving in the US Army. “It’s more important to be able to persuade people than to command people,” he said. “Titles don’t matter. The size of your organization doesn’t matter.” Rather than trying to pull rank, the smart play is to “focus on building influence and buy-in.”
  • Create value. Although tending to the basics is extremely important in cybersecurity, it’s also important to look beyond that, said Fasolo, who was taught early on to focus on creating value. “It’s easy to fall into a space where you’re very comfortable and you’re good at what you do and you check the boxes,” he noted. But for those eyeing up the C-suite, resting on laurels isn't the right play. In Fasolo’s case, “learning and growing afforded me the ability to move from role to role, to grow and take on more responsibility.”
  • Read the room. One piece of advice that applies to all leaders, but especially those who didn’t come up through security? Listen, said Weisman. “When it comes to building out a security program, read the room and understand what other people are prioritizing, and what they’re feeling about how information security plays into that about how technology plays into business operations,” he said. Above all, “don’t assume you know everything.”
  • Don’t aim for perfect. The final nugget may seem counterintuitive, but in Hofer’s experience, the quest to do everything right can be detrimental. “I’ve struggled with wanting to make sure everything that is done for my organization or on behalf of my team or me is absolutely perfect,” she said. Instead, “it causes delays and it causes stress and anxiety that is absolutely unnecessary.”

It can also discourage security teams from taking the types of risks that are necessary for continued growth. The key is “finding the right balance of wanting to do a great job but also being flexible and agile,” Hofer noted. “We have to learn and grow. You can’t do that when you're so focused on making everything absolutely perfect.”

Special Thanks to our Premier Sponsors for making this content possible

Contributions

Want more from this Interview? Enjoy the fulll episode on your favorite listening platform

Healthcare Transformation Powered by Community

© Copyright 2024 Health Lyrics All rights reserved