Jul 17 2023

CISOs under pressure: Protecting sensitive information in the age of high employee turnover

Category: CISO,data securitydisc7 @ 10:29 am

In this Help Net Security interview, Charles Brooks, Adjunct Professor at Georgetown University’s Applied Intelligence Program and graduate Cybersecurity Programs, talks about how zero trust principles, identity access management, and managed security services are crucial for effective cybersecurity, and how implementation of new technologies like AI, machine learning, and tracking tools can enhance supply chain security.

CISOs believe they have adequate data protection measures, yet many have dealt with the loss of sensitive data over the past year. How do you reconcile this apparent contradiction?

The loss of data despite protection measures is not that surprising. We are all playing catchup in cybersecurity. The internet was invented in a government laboratory and later commercialized in the private sector. The hardware, software, and networks were originally designed for open communication. Cybersecurity initially was not a major consideration. That mindset has surely changed due to the explosion of connectivity and commerce on the internet and CISOs are playing a big game of catch up too.

There are a multitude of causes that can account for the exfiltration of sensitive data. The first being that hacker adversaries have become more sophisticated and capable of breaching. The basic tools and tactics hackers use for exploitation include malware, social engineering, phishing (the easiest most common, especially spear-phishing aimed at corporate executives), ransomware, insider threats, and DDOS attacks. Also, they often use advanced and automated hacking tools shared on the dark web, including AI and ML tools that are used to attack and explore victims’ networks. That evolving chest of hacker weaponry is not so easy for CISOs to defend against.

Another big factor is the reality is that exponential digital connectivity propelled by the COVID-19 pandemic has changed the security paradigm. Many employees now work from hybrid and remote offices. There is more attack surface area to protect with less visibility and controls in place for the CISO. Therefore, it is logical to conclude that more sensitive data has and will be exposed to hackers.

The notion of adequate protection is a misnomer as threats are constantly morphing. All it takes is one crafty phish, a misconfiguration, or a failure to do a timely patch for a gap to provide an opportunity for a breach. Finally, many CISOs have had to operate with limited budgets and qualified cyber personnel. Perhaps they have lower expectations of the level of security they can achieve under the circumstances.

As the economic downturn pressures security budgets, how can CISOs optimize their resources to manage cybersecurity risks effectively?

CISOs must enact a prudent risk management strategy according to their industry and size that they can follow to allow them to best optimize resources. A good risk management strategy will devise a vulnerability framework that Identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity. This includes protecting and backing up business enterprise systems such as: financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel & detection, firewalls, etc.) and policies.

There are measures in a vulnerability framework that are not cost prohibitive. Those measures can include mandating strong passwords for employees and requiring multi-factor authentication. Firewalls can be set up and CISOs can make plans to segment their most sensitive data. Encryption software can also be affordable. The use of the cloud and hybrid clouds enables implementation of dynamic policies, faster encryption, drives down costs, and provides more transparency for access control (reducing insider threats). A good cloud provider can provide some of those security controls for a reasonable cost. Clouds are not inherently risky, but CISOs and companies will need to recognize that they must thoroughly evaluate provider policies and capabilities to protect their vital data.

And if a CISO is responsible for protecting a small or medium business without a deep IT and cybersecurity team below them, and are wary of cloud costs and management, they can also consider outside managed security services.

How can organizations better safeguard their sensitive information during high employee turnover?

This goes to the essence of the strategy of zero trust. Zero trust (ZT) is the term for an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources. Organizations need to know everything that is connected to the network, devices & people.

Identity access management or IAM, is very important. IAM the label used for the set of technologies and policies that control who accesses what resources inside a system. A CISO must determine and know who has access to what data and why. If an employee leaves, they need to immediately revoke privileges and ensure that nothing sensitive was removed from the organization. There are many good IAM tools available from vendors on the market.

Certainly, with employee turnover, there are ethical and trust elements involved. Employee insider threats are difficult to detect and manage. Some of that can be addressed upfront in employment contracts with an employee understanding of the legal parameters involved, it is less likely that they will run off with sensitive data.

We’ve seen increased CISO burnout and concerns about personal liability.

Yes, the burnout is a direct result of CISOs having too many responsibilities, too little budget, and too few workers to run operations and help mitigate growing cyber-threats. Now the personal liability factors exemplified by as the class action suit against Solar’s Wind’s CISO, and the suit against Uber’s CISO for obscuring ransomware payments, has heightened the risk. In an industry that is already lacking in required numbers of cybersecurity leaders and technicians, CISOs need to be given not only the tools, but the protections necessary for them to excel in their roles. If not, the burnout and liability issues will put more companies and organizations at greater risk.

How are these challenges impacting the overall efficacy of CISOs in their roles, and what measures can be taken to address them?

Despite the trends of greater frequency, sophistication, lethality, and liabilities associated with incursions, industry management has been mostly unprepared and slow to act at becoming more cyber secure. A Gartner survey found that 88% of Boards of Directors (BoDs) view cybersecurity as a business risk, as opposed to a technology risk, according to a new survey, and that only 12% of BoDs have a dedicated board-level cybersecurity committee.

“It’s time for executives outside of IT to take responsibility for securing the enterprise,” said Paul Proctor, Chief of Research for Risk and Security. “The influx of ransomware and supply chain attacks seen throughout 2021, many of which targeted operation- and mission-critical environments, should be a wake-up call that security is a business issue, and not just another problem for IT to solve.”

CISOs not only need a seat at the table in the C-Suite, but they also need insurance protections comparable to other executive management that limits their personal liability. There is no panacea for perfect cybersecurity. Breaches can happen to any company or person in our precarious digital landscape. It is not fair or good business to have CISO go at it alone. In a similar context, cybersecurity should no longer be viewed as a cost item for businesses or organizations. It has become an ROI that can ensure continuity of operations and protect reputation. Investment in both the company and the CISO’s compensation and portfolio of required duties need to be a priority going forward.

As supply chain risk continues to be a recurring priority, how can CISOs better manage this aspect of their cybersecurity strategies, especially under constrained budgets?

Ensuring that the supply chain is not breached including the design, manufacturing, production, distribution, installation, operation, and maintenance elements is a challenge to all companies. Cyber-attackers will always look for the weakest point of entry and mitigating third-party risk is critical for cybersecurity. Supply chain cyber-attacks can be perpetrated from nation-state adversaries, espionage operators, criminals, or hacktivists.

CISOs require visibility of all vendors in the supply chain along with set policies and monitoring. NIST, a non-regulatory agency of the US Department of Commerce has a suggested framework for supply chain security that provides sound guidelines from both government and industry.

NIST recommends:

  • Identify, establish, and assess cyber supply chain risk management processes and gain stakeholder agreement
  • Identify, prioritize, and assess suppliers and third-party supplier partners
  • Develop contracts with suppliers and third-party partners to address your organization’s supply chain risk management goals
  • Routinely assess suppliers and third-party partners using audits, test results, and other forms of evaluation
  • Complete testing to ensure suppliers and third-party providers are able to respond to and recover from service disruption

Other mitigation efforts can be done with the acquisition of new technologies that monitor, alert, and analyze activities in the supply chain. Artificial intelligence and machine learning tools can provide visibility and predictive analytics, and stenographic and watermark technologies can provide tracking of products and software.

Previous DISC InfoSec posts on CISO topic

Chief Information Security Officer

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: artificial intelligence, Chief Information Security Officer, CISO, Protecting sensitive information, security ROI, supply chain attacks

Jul 07 2023

Chief Information Security Officer Handbook

Category: CISO,vCISOdisc7 @ 11:03 am

CISSP training course

InfoSec tools | InfoSec services | InfoSec books

Tags: Chief Information Security Officer, CISO

Feb 28 2023

CISOs struggle with stress and limited resources

Category: CISO,vCISODISC @ 1:10 pm

94% of CISOs report being stressed at work, with 65% admitting work-related stress issues are compromising their ability to protect their organization, according to Cynet.

Why CISO struggles with stress:

CISOs (Chief Information Security Officers) often face high levels of stress due to the nature of their role. Here are some reasons why CISOs may struggle with stress:

  1. High-stakes responsibility: CISOs are responsible for protecting their organization’s sensitive information and ensuring that the organization’s systems and data are secure from cyber threats. The stakes are high, as a breach could have severe financial, legal, and reputational consequences for the organization. This level of responsibility can create significant stress for CISOs.
  2. Constantly evolving threats: Cyber threats are constantly evolving, which means that CISOs need to stay up-to-date with the latest security trends and technologies. This can be challenging and stressful, as they need to stay one step ahead of cybercriminals.
  3. Budget constraints: CISOs often struggle with limited budgets for their security programs, which can create stress as they need to make tough decisions about where to allocate resources and how to prioritize their security efforts.
  4. Talent shortages: There is a shortage of skilled cybersecurity professionals, which means that CISOs often struggle to find and retain talented staff. This can create stress as they need to find ways to manage their workload and keep their security programs running effectively.
  5. Balancing business needs and security: CISOs need to balance the needs of the business with the need for security, which can create stress as they need to find ways to enable business initiatives while still maintaining a secure environment.

All of these factors can contribute to the high levels of stress that CISOs often experience. To cope with this stress, CISOs may need to develop strong coping strategies such as seeking support from colleagues, practicing self-care, and prioritizing their workload. Additionally, organizations can help by providing their CISOs with adequate resources and support to help them manage their responsibilities effectively.


Among the CISOs surveyed, 100% said they needed additional resources to adequately cope with current IT security challenges.

Stress issues

The lack of bandwidth and resources is not only impacting CISOs, but their teams as well. According to the report, 74% say they are losing team members because of work-related stress issues, with 47% of these CISOs having more than one team member exit their role over the last 12 months.

Relentless stress levels are also affecting recruitment efforts with 83% of CISOs admitting they have had to compromise on the staff they hire to fill gaps left by employees who have quit their job. More than a third of the CISOs surveyed said they are either actively looking for or considering a new role.

“The results from our mental health survey are devastating but it’s not all doom and gloom. Our research found that CISOs know exactly what they need to reduce stress levels: more automated tools to manage repetitive tasks, better training, and the ability to outsource some work responsibilities,” said Eyal Gruner, CEO, Cynet.

“One of the most eye-opening insights from the report was the fact that more than 50% of the CISOs we surveyed said consolidating multiple security technologies on a single platform would decrease their work-related stress levels,” Gruner added.

Key findings from the report include:

  • 77% of CISOs believe that their limited bandwidth and lack of resources has led to important security initiatives falling to the wayside, with 79% of these CISOs claiming they have received complaints from board members, colleagues or employees that security tasks are not being handled effectively.
  • 93% of CISOs believe they are spending too much time on tactical tasks instead of performing strategic, high-value work and management responsibilities. Among the CISOs who believe they are overly invested in tactical tasks, more than a quarter report spending their workday almost exclusively on tactical/operational tasks.
  • 84% of CISOs say they have had to cancel a vacation due to an urgent work matter and 64% report they’ve missed a private event because of work fatigue. More than 90% consistently work 40+ hours per week with no break.

The impact of work-related stress on everyday life

The major takeaway from the survey is that CISOs – and their teams – are suffering from overwhelming amounts of stress and it’s affecting everything from the security of their company to their day-to-day work routines and, ultimately, their life outside of work.

In fact, 77% of CISOs said that work-related stress was directly impacting their physical health, mental health, and sleep patterns.

The company surveyed chief information security officers (CISO) at small to midsize businesses with security teams of five employees or less to better understand their levels of work-related stress and how their mental health is impacting their work life and personal life.

To find out how you can reverse rising CISO work stress levels and better protect your business, download Cynet’s full report now: 2023 Implications of Stress on CISOs 2023 Survey.

Previous posts on CISO

Cybersecurity: The CISO’s View

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Chief Information Security Officer, CISO

Jul 11 2022

The CISO MindMap

Category: CISO,vCISODISC @ 10:05 am

The CISO MindMap (with Rafeeq Rehman)

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:

1.  Re-evaluate ransomware defenses, detection and response capabilities, perform a business impact analysis and identify critical processes, applications and data.

2.  Reduce/consolidate security tools/technologies and vendors. More tools don’t necessarily reduce risk but do add the need for maintaining expertise on security teams.

3.  To serve your business better, train staff on business acumen, value creation, influencing and human experience.

4.  Take an inventory of open source software (standalone and libraries) and make it part of your vulnerability management program.

5.  Build team expertise in technology fields including machine learning (ML) models, model training, API security, service mesh, containers, DevSecOps.

6.  Maintain a centralized risk register. Even better: integrate into your enterprise risk management program. Track risk for technology, insiders, processes, third parties, compliance and skill gaps.

This episode features Rafeeq Rehman.  He discusses the need for a CISO Mindmap and 6 Focus Areas for 2022-2023:


  • CISO MindMap Link
  • CISO MindMap 2022 Recommendations Link
  • Information Security Leaders Handbook Link
  • Cybersecurity Arm Wrestling Link

CISO – Chief Information Security Officer

Tags: Chief Information Security Officer, CISO, CISO Chief Information Security Officer

Jul 17 2020

Twitter stepped up search to fill top security job ahead of hack

Search for a chief information security officer

Twitter Inc had stepped up its search for a chief information security officer in recent weeks, two people familiar with the effort told Reuters, before the breach of high-profile accounts on Wednesday raised alarms about the platform’s security. Twitter said hackers had targeted employees with access to its internal systems and “used this access to take control of many highly-visible (including verified) accounts.”

The second and third rounds of hijacked accounts tweeted out messages telling users to send bitcoin to a given address in order to get more back. Publicly available blockchain records show the apparent scammers received more than $100,000 worth of cryptocurrency.

The U.S. House Intelligence Committee was in touch with Twitter regarding the hack, according to a committee official who did not wish to be named.

Source: Twitter stepped up search to fill top security job ahead of hack

Twitter says 130 accounts were targeted in hack


Explore latest CISO Titles at DISC InfoSec

Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles

Tags: bitcoin, blockchain, Chief Information Security Officer, high-profile accounts, hijacked accounts, House Intelligence Committee, Twitter CISO, vCISO, verified accounts

Apr 18 2019

What CISO does for a living

Category: CISODISC @ 9:14 am

What CISO does for a living by Louis Botha

It’s based on the CISO mindmap by Rafeeq Rehman, updated for 2018 and adding the less technical competencies

[pdf-embedder url=”https://blog.deurainfosec.com/wp-content/uploads/2019/04/CISO-does-for-living.pdf” title=”CISO does for living”]

Download of What CISO does for a living (pdf)

CISO MindMap 2018 – What Do InfoSec Professionals Really Do?




CISO should have answers to these questions before meeting with the senior management.

  • What are the top risks
  • Do we have inventory of critical InfoSec assets
  • What leading InfoSec standards and regulations apply to us
  • Are we conducting InfoSec risk assessment
  • Do we have risk treatment register
  • Are we testing controls, including DR/BCP plans
  • How do we measure compliance with security controls
  • Do we have data breach response plan
  • How often we conduct InfoSec awareness
  • Do we need or have enough cyber insurance
  • Is security budget appropriate to current threats
  •  Do we have visibility to critical network/systems
  • Are vendor risks part of our risk register

 Subscribe in a reader

Tags: Chief Information Security Officer, CISO

Sep 14 2018

CISO’s Library

Category: CISODISC @ 4:38 pm

CISO’s personal library on managing risk for their organization.

Tags: Chief Information Security Officer, CISO, ISO

Aug 21 2015

Five ISO 27001 books you should read

Category: ISO 27kDISC @ 9:14 am

Take a plunge into the world of ISO 27001 with these recommended reads


As a professional embarking on your first journey implementing ISO 27001, you are probably hungry for knowledge and eager to make progress. While starting a new project may be exciting, it can also be daunting if you lack relevant experience and cannot rely on internal support and guidance.

Many ISO 27001 practitioners attend ISO 27001 Lead Implementer courses to gain practical knowledge and skills to develop an information security management system (ISMS). Some go even further by securing a budget to call in an experienced ISO 27001 consultant to guide them through the process and help them with the more complex aspects of the project. But most information security professionals start the journey by simply reading a lot on the subject and doing initial preparation on their own – a method that is not only cost effective, but also gives them a good foundation to understand what is needed for successful ISO 27001 delivery.

Here are five books from IT Governance’s own ISO 27001 library that we believe can help ISO 27001 practitioners prepare for ISO 27001 implementation.

The Case for ISO 27001

As the title says, this book explains the business case for implementing ISO 27001 within an organisation. It highlights the importance and outlines the many benefits of the Standard, making it an ideal supporting document for developing an ISO 27001 project proposal.

The Case for ISO 27001 can be ordered from the IT Governance website.

IT Governance – An International Guide to Data Security and ISO27001/ISO27002

Now in its sixth edition, the bestselling IT Governance: An International Guide to Data Security and ISO27001/ISO27002 is the perfect manual for designing, documenting and implementing an ISO 27001-compliant ISMS, and seeking certification. Selected as the textbook for the Open University’s postgraduate information security course, this comprehensive book offers a systematic process and covers the main topics in depth.

Jointly written by renowned ISO 27001 experts Alan Calder and Steve Watkins, IT Governance: An International Guide to Data Security and ISO27001/ISO27002, sixth edition is due to be released 3 September 2015, and is now available for pre-order.

Nine Steps to Success

If you are looking for a concise, practical guide to implementing an ISMS and achieving ISO 27001 certification, consider obtaining a copy of Nine Steps to Success. Written from first-hand experience, it guides you through an ISO 27001 implementation project step-by-step, covering the most essentials aspects including gaining management support, scoping, planning, communication, risk assessment and documentation.

ISO 27001 Assessments Without Tears

With ISO 27001 certification being the final goal for most organisations implementing the Standard, the pressure is usually on the ISO 27001 practitioners to ensure that staff are prepared to answer tricky auditor questions. ISO 27001 Assessments Without Tears is a succinctly written pocket guide that explains what an ISO 27001 assessment is, why it matters for the organisation, and what individual staff should and should not do if an auditor chooses to question them.

ISO 27001 in a Windows Environment

Most ISO 27001 implementations will involve a Windows® environment at some level. Unfortunately, there is often a knowledge gap between those trying to implement ISO 27001 and the IT specialists trying to put the necessary best-practice controls in place using Microsoft®’s technical controls. Written by information security expert Brian Honan, ISO27001 in a Windows Environment bridges that gap and gives essential guidance to everyone involved in a Windows-based ISO27001 project.

Tags: Chief Information Security Officer, Computer security, Data center, Information Security Management System, ISO/IEC 27001

Jun 19 2015

Cyber Resilience Best Practices

Category: Cyber Insurance,cyber security,CybercrimeDISC @ 11:07 am

Cyber Resilience

Cyber Resilience

RESILIA™ Cyber Resilience Best Practices

AXELOS’s new guide RESILIA™ Cyber Resilience Best Practices provides a methodology for detecting and recovering from cyber security incidents using the ITIL lifecycle

RESILIA™ Cyber Resilience Best Practices

Best guide on Cyber Resilience on the web – Cyber Resilience Best Practices
is part of the AXELOS RESILIA™ portfolio.

RESILIA™ Cyber Resilience Best Practices is aimed at anyone that is responsible for staff or processes that contribute to the cyber resilience of the organization.

The methodology outlined in this manual has been designed to complement existing policies and frameworks, helping create a benchmark for cyber resilience knowledge and skills.

  • Designed to help organizations better prepare themselves to deal with the increasing range and complexity of cyber threats.
  • Provides a management approach to assist organizations with their compliance needs, complementing new and existing policies and frameworks.
  • Developed by experts in hands-on cyber resilience and systems management, working closely with subject and technology experts in cyber security assessment.
  • Supports the best-practice training and certification that is available to help organizations educate their staff by providing a defined benchmark for cyber resilience knowledge and skills.
  • Aligned with ITIL®, which is the most widely accepted service management framework. The best practice is equally suitable for organizations to adopt within other systems, such as COBIT® and organization-specific frameworks.


Target market


  • Managers who are responsible for staff and processes where cyber resilience practices are required – for example those processing payment card information, sensitive commercial data or customer communications.
  • IT service management teams, IT development and security teams, cyber teams and relevant team leaders that operate the information systems that the organization relies on.
  • IT designers and architects, those responsible for the design of the information systems and the controls that provide resilience.
  • The chief information security officer (CISO), the chief security officer (CSO), IT director, head of IT and IT managers.


Buy this guide and gain practical guidance on assessing, deploying and managing cyber resilience within business operations.
RESILIA™ Cyber Resilience Best Practices

Tags: Chief Information Security Officer, CISO, Computer security, CSO, cyber crime, Cyber Defence, Cyber Insurance, Cyber protection, Cyber Resilience, cyber security, Cyber Security countermeasures, Cyber Security Safeguards, cyber threats, data security, Information Security, Information Technology Infrastructure Library, ISO, iso 27001, iso 27002

May 25 2010

Tips for building security organization

Category: Security organizationDISC @ 5:54 pm

Image representing Forrester Research as depic...
Image via CrunchBase

By: Brian Prince

Businesses have increased expectations on the security team in recent years, sometimes producing a disconnect between what is expected and what the security team can deliver. In a new report, Forrester Research lays out some advice for building an effective security organization.

As IT security has become a bigger part of business discussions, security teams have increasingly shifted their focus from operations to strategic business objectives.

For businesses building their security groups, there needs to be a balance between fulfilling operational and strategic goals, and a new report from Forrester Research offers advice on how businesses can find it.

“In a few cases we found that the strategic aspect of security was so important or was so highlighted in terms of the CISO [chief information security officer] role that the CISO was sometimes moved outside the IT organization, [and] sometimes wasn’t as connected with the operation [of] the IT…[but] much more connected with the business side and the strategy side,” explained Forrester analyst Khalid Kark. “What that does is basically creates an ivory tower for the chief security officers, and then they are not able to operate.”

To avoid that, there are several steps Forrester recommends organizations take. Here are a few of them.

— New Roles: To make your security practice more strategic, add these three positions: a business liaison to advocate for the business unit within the security team and communicate the security perspective to business; the third-party security coordinator to address outsourcing, assessments and cloud computing; and a security engineer focused on working with the enterprise architecture team to build security into the architecture and integrate specific infrastructure security components into the architecture.

— Understand IT security vs. information risk: “Many security organizations fail to get management attention because they’re always focused on the IT security activities, which the business doesn’t understand,” according to the report. “On the other hand, the business understands risk well, and if you articulate those same problems in the risk context, the business is much more likely to react and respond to them.”

— Develop a cross-functional security council: “Focus on ‘who’ not ‘how.’ Forrester has long professed the benefits of a security council, but one thing that is absolutely essential for the success of this council is its composition,” the report continues. “The trick is not to aim for the highest ranking businessperson but the one most interested in security and risk issues who has a reasonable level of visibility in the business. When you have a passionate team working on the security issues, the ‘how’ will be easy to determine.”

— Equip the business to perform risk assessments: “To meet the security and risk obligations effectively, you have to delegate, and risk assessments are ideal for this,” Forrester said. “Provide the checklists and basic training to the business to perform the basic risk assessment tasks so that it takes the pressure off your resources. Make it easy and seamless for the business to incorporate these into its existing processes.”

Complicating things is today’s economic environment in which businesses may be forced to reshuffle or even cut their security personnel. When that happens, organizations may have to refocus their attention from strategic projects and get back to basics, the report noted.

“As security organizations get leaner, delegation, formalized and documented processes, and good monitoring and metrics become key,” said Forrester analyst Rachel Dines, who worked on the report with Kark. “Security organizations don’t need to have direct ownership of all security-related processes, but they do need to monitor and control them.”

How to create a security culture in your organization: a recent study reveals the importance of assessment, incident response procedures, and social engineering … article from: Information Management Journal

Tags: Business, Chief Information Security Officer, Cloud computing, Consultants, Forrester Research, General and Freelance, Information Security, Security

Nov 03 2009

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges

Category: hipaaDISC @ 6:22 pm

Healthcare Organizations May Not Be Prepared for HITECH and Other Security Challenges
The Healthcare Information and Management Systems Society releases its 2nd Annual Security Survey, sponsored by Symantec

CHICAGO (November 3, 2009) – With the American Recovery and Reinvestment Act underway, healthcare organizations face new challenges to maintain privacy and security of patient health data. However, data gathered from healthcare IT and security professionals indicate that many organizations may not be ready to meet some of the HITECH components of the ARRA legislation and other security challenges, according to the results of the 2009 HIMSS Security Survey, sponsored by Symantec Corp. (Nasdaq: SYMC).

While healthcare organizations recognize that patient data must be protected, the survey results show that:

  • Security budgets remain low
  • Organizations often don’t have a response plan for threats or a security breach
  • A designated Chief Security Officer or Chief Information Security Officer is not in place
  • In addition, the survey reveals that healthcare organizations are not using the current security technologies available to keep patient data safe. Respondents to this survey widely use audit logs with data from firewalls, application logs and server logs as common information sources. Yet, when analyzing the log data, only 25 percent of respondents reported electronic analysis of that data. Respondents indicate they are using firewalls and user access controls, but are not implementing all available technologies to secure data. Only 67 percent of responding organizations use encryption to secure data in transmission, and fewer than half encrypt stored data.

    “Healthcare organizations are continually looking for ways to save money,” said David Finn, health IT officer, Symantec Corp. “One of the best ways to accomplish these goals is through investing in technologies that will automate and reduce the risks of a security incident and lower the chances of a compliance issue. Although awareness about these issues is high, many providers have not yet made significant moves to the address these concerns.”

    Other key survey results include:

    Security Budget: Approximately 60 percent of respondents reported that their organization spends three percent or less of their organization’s IT budget on information security. This is consistent to the level of spending identified in the 2008 study.

    Maturity of Environment: Respondents characterized their environment at a middle rate of maturity, with an average score of 4.27 on a scale of one to seven, where one is not at all mature and seven is a high level of maturity.

    Formal Security Position: Fewer than half of respondents indicated that their organization has either a formally designated CISO (Chief Information Security Officer) or CSO (Chief Security Officer).

    Patient Data Access: Surveyed organizations most widely implement user-based and role-based controls to secure electronic patient information. Approximately half of respondents reported that their organization allows patients/surrogates to access electronic patient information. Patients/surrogates are most likely to be granted access to high level clinical information, such as diagnosis or lab results.

    Management of Security Environment: Nearly all respondents reported that their organization actively works to determine the cause/origin of security breaches. However, only half have a plan in place for responding to threats or incidents related to a security breach.

    Security Controls: Most respondents reported that they use the information generated in their risk analysis to determine which security controls should be used at their organization. About 85 percent of respondents reported that they monitor the success of these controls and two-thirds of these respondents measure the success of these controls.

    Risk Analysis: Three-quarters of surveyed organizations conduct a formal risk analysis (only half of these conduct this assessment on a yearly basis or more frequently), which has remained the same in the past year. Three-quarters of organizations that did conduct risk assessments found patient data at risk due to inadequate security controls, policies and processes. Conducting this analysis positions organizations to identify gaps in their security controls and/or policies and procedures.

    Security in a Networked Environment: Nearly all respondents reported that their organizations share patient data in electronic format. Respondents are most likely to report that they share data with state government entities. Respondents also reported that the area in which they are most likely to share data in the future is with Health Information Exchanges (HIEs)/Regional Health Information Organizations (RHIOs). Approximately half of these organizations (41 percent) indicated that these sharing arrangements have resulted in the use of additional security controls beyond those that were already in place at their organization. This is consistent with the data reported in the 2008 survey.

    Future Use of Security Technologies: E-mail encryption and single sign on and were most frequently identified by respondents as technologies that were not presently installed at their organization but were planned for future installation.

    Medical Identity Theft: One-third of respondents reported that their organization has had at least one known case of medical identity theft at their organization. However, only a handful of these organizations experienced direct consequences from the breach.

    “Healthcare organizations must approach all IT activities, including data security, with effective management and efficient use of their budgets, staff and technologies,” said Lisa Gallagher, HIMSS Senior Director, Privacy and Security. “IT and security professionals must recognize the need for securing patient data by using available technologies and preparing for compliance with current ARRA laws and future regulations. This complex operating environment, as well as our national goals for health IT, demands such action to ensure quality, safety and improved healthcare delivery.”

    Targeting Chief Information Officers and Chief Security Officers and other Information Technology (IT) executives, the 2009 HIMSS Security Survey focused on an assessment of 196 information technology (IT) and security professionals in the healthcare field of their own readiness for today’s risks and security challenges.

    About Symantec
    Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. More information is available at www.symantec.com.

    About HIMSS
    The Healthcare Information and Management Systems Society (HIMSS) is a comprehensive healthcare-stakeholder membership organization exclusively focused on providing global leadership for the optimal use of information technology (IT) and management systems for the betterment of healthcare. Founded in 1961 with offices in Chicago, Washington D.C., Brussels, Singapore, and other locations across the United States, HIMSS represents more than 23,000 individual members, of which 73% work in patient care delivery settings. HIMSS also includes over 380 corporate members and nearly 30 not-for-profit organizations that share our mission of transforming healthcare through the effective use of information technology and management systems. HIMSS frames and leads healthcare public policy and industry practices through its educational, professional development, and advocacy initiatives designed to promote information and management systems’ contributions to ensuring quality patient care. Visit www.himss.org for more information.

    For more information, contact:
    Joyce Lofstrom/HIMSS
    312-915-9237 – jlofstrom@himss.org

    Pamela Reese/Symantec
    424-750-7858 – pamela_reese@symantec.com

    Reblog this post [with Zemanta]

    Tags: arra and hitech, arra hitech provisions, arra hitech security "business associate", Chief Information Security Officer, Chief security officer, Computer security, Health care, Healthcare Information and Management Systems Society, hipaa laws, Information Technology, Security, status of arra and hitech, Symantec