G2Xchange recently had the chance to speak with Colin Corlett, President and CEO at cybersecurity, and IT services provider Excentium about the key role of cyber, why a different view of cyber is needed to change course and the top down view companies and agencies need to succeed.
There are two major areas of cybersecurity – Offensive and Defensive and included within the defensive is compliance and governance. Some people look down on compliance and cyber governance as not being “real” cybersecurity. While this may be true to a degree, the answer to addressing our cyber challenges does not rest on products or technologies alone. Most cybersecurity exploits can be traced back to a root cause of poor cyber hygiene, resulting from a lack of cyber governance.
There is also a misconception that the responsibility for cybersecurity can be placed on one department, rather than being an accountability that exists across the organization. Organizations should focus more on how the responsibility for cybersecurity can, and should be shared and integrated throughout an organization, rather than considered a problem for IT to address alone.
A better way forward, and the direction we must follow, is for cybersecurity to be approached with a holistic view, from a strategic perspective, aimed at identifying and clarifying security requirements before anything is acquired or built. Cyber Governance is where we need to focus on to get to a better place.
In fact, there is an Executive Order (EO) pushing agencies to incorporate the National institute of Standards and Technologies (NIST) cybersecurity framework (CSF) into agencies’ Risk Management Framework (RMF). The EO requires agency leaders to adopt the NIST CSF, which was initially developed as a voluntary standard. It further states that agencies should use the CSF to manage their cybersecurity risk. Therefore, the intent reinforces agency leaders to adopt a more governance-based approach to the RMF, and cybersecurity overall.
What Healthcare Organizations Needs to Know
We ALL talk about “baking cybersecurity in”, but I am yet to see an organization that truly does. If we consider there to be four major business functions in a system’s lifecycle: Acquisition; Development; Deployment; and Sustainment, each function has a responsibility for security. Organizations and Government agencies should not shoulder responsibility for cybersecurity based purely on an organizational chart. They should look more from an accountability perspective across the business functions necessary and/or in place to support their particular organization’s mission. The organization with overall responsibility for all of these functions should have overall accountability of ensuring cybersecurity governance across and throughout. The person identified as responsible for a specific function (Acquisition, Development, Deployment, and Sustainment) should have full accountability for ensuring security for that function.
The reality is that organizations tend to place the responsibility of cybersecurity on their IT and cybersecurity teams alone. The NIST RMF is designed to help organizations accomplish the integration of cybersecurity, but if you were to ask most people across the Government, and industry, they would say the RMF is just a “certification”, a “check box” necessary to deploy a system.
Acquisition and Sustainment are arguably two of the most important phases of a system’s lifecycle. The security control baseline should be established during acquisition; then that baseline must be continually assessed and modified as necessary to maintain security during sustainment. Yet, I see many solicitations that include either vague, or too many requirements from a cybersecurity perspective. Organizations need to be clear on what they require, and then be able to evaluate the vendor community based on what they propose, and how it meets those very specific needs.
The RMF includes phases early on to aid in this part of the process. Healthcare organizations must categorize their systems, and identify appropriate security controls prior to soliciting IT solutions if they hope to reduce the cost associated with cybersecurity, and realize improved resilience against Cyber-attacks. Organizations must embrace risk, and threat assessments early to most appropriately understand where they should focus their needs for cybersecurity.
What Vendors Need to Know
Get on board, and understand what is expected early. Historically, I have only ever been approached by a vendor when they realize their solution needs to be able to meet cybersecurity compliance standards. Why is this? If I were to guess, I would say it is because cybersecurity and/or compliance was not included in their overall strategy and supporting plans. Today, vendors are not likely to be successful if they do not consider cybersecurity, and compliance as a “way of life”, to be brought up as a topic for discussion at every stage.
The vendor community needs to have a clear understanding of the business impact associated with building security in, and meeting compliance standards. There are vendors who truly care about cybersecurity, and others who deal with it more as a necessary evil. I don’t mean that as a slight, but some vendors just don’t have the cybersecurity capabilities or experience to be successful. If an organization lacks the in-house personnel resources who understand what it “truly” takes to be successful, there are plenty of external sources that do.
It goes without saying that vendors should be concerned about securing their products, but when it comes to working with the Federal Government, and large Healthcare organizations, they should truly understand the level of effort, and financial impact associated with achieving and maintaining compliance. These are costs that need to be considered early, including a strategy for recovering those costs in product sales and maintenance contracts.
Vendors should develop a risk-based cybersecurity program that aligns with their business strategy, and ensures they consider the costs of compliance in their future plans. Bottom line: consider all possible compliance standards based on your target market, and build a program to address that.
How Healthcare organizations should address Medical Devices
I see an increased focus on Medical Devices yet fail to see why the process for securing these devices should be treated any differently than any other IT: Follow a Risk-based methodology, understand the possible threats, determine, document, and implement security controls, and continually monitor, and assess the risk. Some devices may not be able to be secured; identify them and come up with a plan. If other, more secure products are available, and when feasible, devices should be replaced. If not feasible, an organization should determine ways to reduce the risk to an acceptable level.
Many organizations today are faced with tighter budgets, and are having to make decisions about where money is best spent. If we think of an IT solution as a large ship, setting it on course, and then turning it to meet security demands, and then readjusting again as demands change, takes time and money. If you can set the ship on the right course from the start, the investment over time will be much less. Unfortunately, to get the ships all moving in the right direction from the very beginning requires turning the bigger ship now; this means investing in fixing the cybersecurity governance problem mid cruise. Sounds simple, but it is by no means easy.
Achieving 100% security while maintaining 100% functionality is not a reality. A thoughtful risk management strategy, seeded in a holistic governance approach, is an organization’s best defense in an ever-changing cybersecurity landscape.
Excentium is a FedRAMP-Accredited 3PAO and a certified Service Disabled Veteran-Owned Small Business (SDVOSB) that has provided full spectrum Information Assurance (IA), Cybersecurity, Risk Management, and other IT related services to Federal and commercial Healthcare organizations since 2006.