Healthcare CISOs discuss the role's challenges at HIMSS event

WASHINGTON, D.C. -- During a panel session at the HIMSS Healthcare Cybersecurity Forum on Oct. 31, 2024, several healthcare CISOs from organizations across the country discussed the unique challenges associated with the chief information security officer job title in healthcare.

The panel session began with a question posed by moderator Erik Decker, vice president and CISO at Intermountain Health, about the cybersecurity workforce shortage and whether it is actually affecting healthcare as much as global data would suggest.

For example, a 2024 ISC2 study found that the global cybersecurity workforce needs to increase by 87% to fill the current workforce gap. CyberSeek data showed more than 500,000 unfilled cybersecurity positions in the U.S.

"I think it's real, I just think we feel it at different levels," said Kate Pierce, virtual CISO and executive director of government affairs at Fortified Health Security during the session.

Pierce is a former longtime CISO at a rural hospital in Vermont and acknowledged that rural and critical access hospitals face workforce challenges on a different scale than larger organizations do.

"The difference between being a Johns Hopkins or a UNC versus being a small critical access hospital or even just a one- or two-provider practice is significant because you have the same requirements. You have to protect your network, you have to do all those things, but you have a fraction of the staff."

Losing just one cybersecurity professional at a rural hospital might equate to losing half the staff, Pierce noted.

For Dee Young, CISO at UNC Healthcare, North Carolina's largest academic health system, the workforce shortage looks different.

"Yes, there is a talent shortage -- I think it's more a lack of skills and ability and expertise in healthcare though," Young said, rather than a lack of people seeking jobs in the industry.

"I focus more on keeping the professionals that I have and making sure that I don't have those open roles," Young continued.

Young advised those looking to enter the cybersecurity field without prior IT experience to get internships and work on foundational IT skills to get a sense of what working in the industry is like.

Beyond staffing challenges, the CISOs shared their thoughts on the demanding nature of the CISO role.

"I think the amount of pressure on the CISO is not comparable to other things," Pierce noted. "It's a 24/7 constant pressure to deliver a secure system."

Darren Lacey, former CISO at Johns Hopkins, stressed the importance of maintaining a network of peers and colleagues that you can talk to while navigating the stress of the job.

In addition to the pressure of the job, the panel of CISOs contemplated the future of the role as the industry increasingly sees CISOs taking the brunt of the scrutiny in the wake of cybersecurity incidents.

For example, in October 2023, the Securities and Exchange Commission (SEC) charged SolarWinds and its CISO with fraud in the wake of a massive 2020 cyberattack. A judge later dismissed most of the SEC's charges, but the case still serves as a turning point in how the role of the CISO is viewed.

Controlling the narrative of a CISO's role is challenging, the panelists acknowledged. It is more than just having a seat at the table in a room of C-suite executives.

"You can have a seat at the table, but you really need to have a voice there to be able to bring the organization into agreement that cyber is a priority," Pierce said.

The panelists stressed the importance of communicating effectively with the C-suite and continuing to use their role to vocalize the crucial tenets of cybersecurity.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.