There has been a dearth of cybersecurity professionals to protect healthcare provider organizations for some time – and the problem is only getting worse.
That’s one of the most pressing trends when it comes to recruiting and retaining cybersecurity talent. And it will also be a major topic addressed during “Team Building, Growing and Retaining Talent: The Secret to Success,” a panel discussion at the HIMSS Cybersecurity Forum, a digital event coming December 6-7.
The panel will explore current trends in the information security job marketplace, culture cultivation strategies, assessing what future hiring and training requirements will look like, as well as challenges around retaining talent.
Healthcare IT News sat down with panelist James L. Angle, product manager, IT services, information security, at Livonia, Michigan-based health system Trinity Health, to get a preview of the discussion. Angle has a doctorate in business administration with a specialization in computer and information security.
Q. What are a couple trends you see in today’s information security job marketplace?
A. First and foremost, the biggest trend in the cybersecurity marketplace is the lack of talented cybersecurity professionals. The gap keeps getting wider with each new threat that materializes.
As threats like ransomware evolve and become more sophisticated, employers realize they need more help, and this puts a strain on the limited number of cybersecurity professionals. As demand goes up, so do salaries, and this makes it more difficult for small to mid-sized healthcare organizations to compete for available talent.
Another trend is the attack surface of healthcare organizations that is expanding and changing with the move to cloud computing. In the past, organizations built a strong perimeter defense to keep unauthorized people out.
“As demand goes up, so do salaries, and this makes it more difficult for small to mid-sized healthcare organizations to compete for available talent.”
James L. Angle, Trinity Health
This approach is no longer viable as cloud computing places the organization data outside the perimeter. This requires a different skill set to manage the threat, which means more cybersecurity professionals with these skills are needed. This exacerbates the problem.
These two issues are driving employers to ask for cybersecurity professionals with multiple skill sets to cover their requirements. If you look at job announcements, you will see employers asking for someone who is an expert with perimeter security, endpoint security, cloud computing, and governance, risk and compliance (GRC).
The problem is that most security professionals do not have multiple skill sets. While they have a basic knowledge of all these skills, they do not have the expertise in all of them.
Q. How do you cultivate a good information security culture in healthcare?
A. First, hire the right person for the right job. By that I mean don’t hire someone with a soft skill like GRC to be your firewall administrator, or a firewall administrator to be your security architect. These are vastly different skills, and each takes training to become proficient.
You should cross-train all your personnel, but don’t hire people for jobs they are not qualified for. You are only setting them up for failure.
Provide training for your cybersecurity staff. The threat is evolving and getting more sophisticated every day, so they must keep up with the changes.
Also, if you have people with IT skills who want to learn cybersecurity, encourage them by setting up in-house training and help them develop the skills. Most security people I know would like to help others develop cybersecurity skills, and could help train others.
Another important thing for developing good security practices is for leadership to talk about cybersecurity and lead by example.
Q. What are a couple challenges around retaining information security talent, and how do you overcome these challenges?
A. There are two big challenges around retaining cybersecurity professionals. The first is the shortage of cybersecurity professionals. This shortage means that some organizations will attempt to hire workers from other companies. This drives up salaries and makes it harder for healthcare organizations to hire and keep talent.
The second and most important aspect is how cybersecurity professionals are treated by their organizations. Let’s face it, no one likes having to practice good security. Long passwords, blocked websites and many problems that arise are blamed on security. This leads to security professionals being treated as if they were an impediment to productivity, rather than an asset.
James Angle, along with Vugar Zeynalov, CISO at Cleveland Clinic Health Systems, and Steve Martano, partner in the cybersecurity practice at Artico Search, will explain more in the session, “Team Building, Growing and Retaining Talent: The Secret to Success.” It’s scheduled to air from 3:10-3:40 p.m. ET on Tuesday, December 7.