Commercial risk will be a critical catalyst of progress – it’s complicated, but is it possible? We think so.

Blog Post

4 keys to finding—and retaining—the right security leader

February 12, 2018

The current cybersecurity landscape brings a host of problems for health care organizations (HCOs): Escalating financial stakes, sophisticated and quickly-evolving cyber threats, and an incredibly in-demand security talent market.

Join us Feb. 15 to learn how executive leaders can prepare for key security vulnerabilities

At the helm of an organization's cybersecurity talent is the chief information security officer (CISO). Today, the CISO is central to the provider organization's ability to fulfill its mission to care for patients, but finding and keeping an effective, talented CISO can be a challenge.

With 3.5 million cybersecurity job openings worldwide expected by 2021, the demand for talented security professionals is at an all-time high, spans all industries, and far outstrips the supply of security leaders. Such a lopsided talent market requires HCOs not only to choose the right candidate for their organization, but also to foster a supportive and security-focused environment in which their chosen CISO will want to stay for the long haul.

Read on to learn four key actions to ensure your organization finds—and keeps—a strong security leader.

1. Put the right CISO candidate in seat

A great CISO has a combination of traits rarely found in one person: He or she must be technically skilled, but also a strong leader with sharp business acumenand a bit of a politician to get things done. A strong willingness to learn and adapt should underpin these core traits. Top candidates will seek to learn the needs and culture of the organization and craft security plans that fit those needs.

To find the right candidate, key senior executives—including the CEO, CIO, COO, CFO, and CMO—should participate in the interview process. These executives need to have confidence in the CISO, so they should play a role in the selection.

CISO graphic

2. Be frank about what the candidate may be walking into

A September 2016 survey of security personnel revealed that the top contributing factors for CISO turnover included a lack of a serious cybersecurity culture (31%), a lack of active participation with executives (30%), and higher compensation offered elsewhere (27%). These factors signal a need for HCOs to be candid about the organization's environment throughout the interview and selection process so the CISO candidate fully understands what he or she may be walking into in order to limit thrash within the position.

Frequent turnover compromises stability. When a HCO isn't upfront about the organization's situation and goals, the organization can end up with a revolving door that leads to security lapses, inconsistencies, and increasing risk.

3. Support and empower the CISO

Whoever is chosen as the new information security leader must be given a real chance to succeed. Organizations with effective CISOs who stay for the long term approach security as a team sport and do not place blame or point fingers when something happens. The contributing factors to CISO turnover listed above indicate that senior leader and board engagement in cybersecurity affairs is critical to empowering your CISO. Historically, many information security leaders have been highly technical individuals unaccustomed to the type of business discussion that happens at the C-suite or Board level. Partnerships like an executive mentor program can illustrate organizational support for the CISO and their cybersecurity efforts as well as further hone the CISO's skills in effective boardroom conversation.

4. Explore unconventional options

What options remain if your organization still struggles to fill or retain a CISO? Viable non-traditional solutions do exist.

One option is to cultivate and train an internal senior leader with strong interest in field to fill the CISO role.

Additionally, several well-established security firms offer a virtual CISO option with which some Health Care IT Advisor members have expressed positive experiences. With this option, it's imperative to establish a collaboration approach, set clear service expectations from the start, and identify a main point of contact on the vendor side to build and leverage institutional knowledge.

While there's no end in sight when it comes to the difficulty of navigating the cybersecurity talent market, there are several ways HCOs can ensure they hire the right candidate for the organization and keep them in seat. Download and read our latest report Rising to Prominence in the New Security Landscape: Health Care's Chief Information Security Officer to learn about other top considerations for the CISO role.


Security and the C-suite

Join us on Thursday, Feb. 15 to get up to speed on the cybersecurity landscape and different opportunities to engage executive leadership in the issue.

Register Now

Have a Question?


Ask our experts a question on any topic in health care by visiting our member portal, AskAdvisory.