Mitigate Deeper Issues Rather Than Bandaging Symptoms
In cyber safety, sometimes short-term fixes are used without in-depth analysis into the root cause of the issue.
An organization feels certain symptoms—numerous vulnerabilities on systems or poor cyber practices of people within their organization—and often looks to bandage solutions such as tools and technologies to fix its issues, without conducting a truly in-depth analysis of what these symptoms might reveal regarding underlying causes.
Instead of thinking about what can be done to mitigate the deeper issues, the focus is just on the immediate symptoms.
Getting At The Root Cause
Thankfully, there is a common strategy for getting to the heart of the issue. We need to use a holistic and integrative approach to do a root-cause analysis on what the factors are that create the symptoms, then determine the best approach using a holistic view of what is needed and integrating a variety of aspects to form a well-designed solution.
Let me break this into smaller parts specifically in the example of a healthcare organization that is concerned about cyber safety. Using the mind-body-energy connection that is well known in the healthcare field, for the “mind” aspect, let’s consider the mindset of an organization, its leaders, and its staff. How is cyber safety and security regarded in the organization? Is it thought of as a barrier to the mission, or an enabler of the mission? Do all the roles, stakeholders, users, and leaders look only to the CISO or their teams to solve their cyber gaps, or do they feel that everyone has a role in cyber?
In this example, an organization’s tools and technologies will stand in as the “body” aspect. Are each of the tools an organization deploys truly analyzed for all the capabilities a tool offers? How many of a tool’s functionalities are actually being used? How many tools does the organization have that all seem to do similar things and how effective are these tools? Are the tools and the results they achieve measured across a standard baseline for effectiveness or efficiency?
Building A Culture That Supports Cyber Safety
For the largest and most important aspect of this connection, let’s look at the “energy” or culture of the organization. The energy of the organization is the culture, which always starts with its leadership. Are diversity and inclusion factored into the organization, including its cyber teams? What is the level of social and emotional maturity within the organization and its people? Are staff provided with training and opportunities to learn emotional intelligence or interpersonal communication skills? Is there freedom to innovate and bring creativity into the workplace? Last but not least, are staff empowered to do the right thing even when no one is watching?
All of these aspects make up a robust and comprehensive cyber safety program in any organization:
- Empowering people with the right skills, knowledge, support, and opportunities and embedding cyber into everyone’s roles;
- Looking at technical solutions using a holistic view to truly provide effective and impactful solutions (instead of bandage solutions);
- And taking a community-centered approach to cyber within an organization and between organizations so that everyone understands their role in protecting and safeguarding the mission.
There are many ways to ensure that cyber is factored into every aspect of an organization. We must include security in every step of a system’s lifecycle. Systems include anything that is purchased that is considered “IT,” such as computerized systems, medical instruments/devices, applications, networks, servers, workstations, etc. Cyber security reviews and analysis must be built into the procedures starting from the acquisition stage, through implementation and operation, and at the disposition stage. This will ensure that security concerns and risks are captured and mitigated from the beginning all the way through the end and help avoid sudden surprises and reactive measures.
Another aspect of ensuring cyber is embedded into everyone’s roles is to make sure that each role within an organization is properly trained on how to do its jobs in a secure manner, provided opportunities to learn on the job, and also have opportunities for commercial training.
Taking A Bird’s Eye View
Lastly, as technology progresses and gets more complex, we must take a moment to pause and step back to look at things from a holistic viewpoint. Too often, people are running towards the next newest thing or the next “shiny” tool or technology that everyone else is using, assuming that it will be a magic bullet or cure for all the concerns. It will be in our best interest as healthcare organizations to take a step back and look at the big picture, to dig deep and find the root causes of our concerns so that we can truly effect positive changes in cyber throughout our organizations.