I recently finished a trip where LBMC hosted about ten regional CIO’s and CISO’s for dinner to create dialogue around HITRUST, cybersecurity, and privacy. We had a great time talking with new and old friends alike about HITRUST CSF. However, the conversation became very serious among a small group: one was a new CISO, one who had been in a new job for little over a year (“experienced”), and one who is an industry veteran in cybersecurity and had been in his role for over two years –and was soon leaving. The new CISO, wide-eyed, and excited about his challenges, asked for advice. The “experienced” CISO and “veteran” CISO offered that he should get his budget set right away. He was also encouraged to get a trusted team in place. The experienced CISO was feeling the burn. His budget wasn’t in line with what he needed, and he was losing sleep over what he didn’t know. And the “veteran” shared his experience with a breach, and the feeling of lack of support after having gone through the same phases as the new and experienced CISO.

As the evening progressed, my seatmate at dinner was a distinguished attorney with robust international compliance and privacy experience now in the role of a privacy officer. There is no question that she understands how important security is, and having proper documentation for any incident – federal, state, customer, etc. And she certainly understands there is a difference between security and compliance. In the relaxed environment of dinner, she tells me she’s tired of hearing “not now” by the board in response to implementing the tools she needs to do her job. Not surprisingly, the entire table of CISO and CIO’s hear this plight. One CISO adds, “The average tenure of a CISO is two years.” Another CISO said, “And, we are just scapegoats.” And then, yet another, “I’m 1.5 years, and just got turned down on my budget. I suppose I’m next.” It struck me that this group all faced the same challenge toward budgeting, and lack of support was the underlying cause of their anxiousness.

Where can HITRUST CSF help?

The HITRUST CSF is an excellent framework to ascertain gaps in controls, resources, tools, and the very processes that most organizations are achieving these days. As a risk-based framework, the framework is customized to an organization’s specific profile. And since the risk profile is set based on a defined set of characteristics, all organizations of a similar size, type, and use of technology will be assigned the same controls and expected implementations. Used correctly, and as the backbone for justification of a business, the framework is an excellent tool to communicate gaps to executive leadership within an organization for how similar organizations operate. The search for “best practices” has been found by these organizations.
The intensity soon faded to a gentler conversation. However, my three CISO friends are now on a different path, having been enriched through a supportive encounter with their peers to change the conversation. They are now working together to build upon their messages and develop their roadmaps to success. I support them and wish them more than luck! After all -luck is just hard work, disguised as acting on new knowledge from a seemingly “chance” opportunity to learn new skills!