Todd Fitzgerald: CISO Leadership Skills
In an interview, Fitzgerald:
Fitzgerald is senior technical compliance adviser at National Government Services Inc., a Medicare contractor that handles claims processing. He is responsible for coordinating all external government audits for the company. He formerly served as a security officer for several other organizations.
His book was published by the International Information Systems Security Certification Consortium.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We are talking today with Todd Fitzgerald, senior technical compliance adviser at National Government Services, a major Medicare contractor that handles claims processing. Todd is responsible for coordinating external government audits for the company. He was the co-author of a recent book, "CISO Leadership Skills Essential Principals for Success," and he formerly served as a security officer for several other organizations. Thanks so much for joining us today Todd.
TODD FITZGERALD: Good morning.
ANDERSON: Under the HITECH Act, the federal government will soon be ramping up audits of healthcare organizations to determine their compliance with the HIPAA privacy and security rules. Based on your experience dealing with government audits, what advice would you give on how to prepare?
FITZGERALD: We have had to deal with a lot of government audits, as you are aware, and I think one of the key things is that organizations really need to do a deep dive assessment... of the policies in place to support the security controls. Are there procedures in place that support those? And are we really performing those on a day-to-day basis? Are we consistently applying the security controls and mechanisms that have been designed for the environment? Because when the auditors come into the organization, they are going to look at not just whether those exist, but whether we are really being compliant with those controls.
ANDERSON: The book you helped put together described some of the managerial skills that chief information security officers need. Please describe some of those key skills and how CISOs can acquire them.
FITZGERALD: I think one of the key things is the influencing skills that people need to develop. One of the things that I have done in a lot of conferences is I will go around the room and ask for the "30-second elevator speech," you know, if you are facing that individual that has the capability to get that funding in the elevator, what is it that you would say? What I find a lot of times is we are not prepared as to what are those projects, what are those things that top of mind, or when we are asked "are we secure," how do we answer that question? Being able to pre-think those things is very important. I think also written and oral communication skills are very important. If one were giving presentations to the board of directors or senior management, they really want the top-line information. It may be a lot of detail that was taken to get to that point, but they are really not interested in all of the detailed reports. It is just: What is the issue? What is the impact? What is this going to mean to our organization if we don't take care of this? For people to become good security officers or security leaders, they need to be able to translate things from technical jargon into a business acumen that can be understood by the other people outside of the security realm.
ANDERSON: The book also talks about how to treat a security program as a business. Please describe that approach for us.
FITZGERALD: Just like any business, we need to have clear goals. We need to make sure that our vision and our mission are aligning with the rest of the organization. We need to deal with things on a risk-based basis. Executives all the time are making decisions as to what products or what services to apply; we have to do the same thing within security. Because if we are not taking that time to look at what the risks are, and figure out what projects are going to support us, then when we go forward and ask for that funding we are not really going to have that kind of credibility. We also have to sustain ongoing operations just like any business. We have to keep diligent with those security controls every day, not just when the audits arrive. We also need to be marketing to our business. We need to build awareness...at the middle-management level, the senior-management level and the end-user level, and that has to be a constant refreshing of the security message.
ANDERSON: What other advice would you give to security professionals who aspire to become a chief information security officer or assume another leadership role within information security?
FITZGERALD: I believe that there is a lot of focus today on certifications. There are a lot of good certifications out there. There are the standard ones in the industry that are well recognized, the CISSP, the CISA, the CISM; there are some other certifications coming along. I know the different organizations are coming up with new ones all of the time.... Security professionals need to recognize that certification provides a baseline, a common language by which we can converse with each other. After that, it really takes that diligence of staying up with the industry. And by that I mean networking, getting out with your peers, getting out with those other associations, going to conferences, talking to people, even if the travel budget is thin. There are still a lot of webinars that people can take advantage of. There is a lot of interaction through web sites to learn what other people are doing and what they are facing. I think you must also know the controls at a very deep level. I think the NIST 800-53 set of controls is an excellent place to start. You really need to understand what those controls are and what strategies could be used to implement compliance actions to take care of those risks. And then you need to add other types of education.....I think it has always been difficult, with security being seen as part of the IT organization, but we also need to learn those other disciplines. We need to learn things about accounting and finance and marketing and the other business areas, and I think some of the advanced education goes a long way to that. In fact, when we did a survey for the book, we found that close to 37 percent of those people that were holding senior leadership positions in security had a master's degree or above.
ANDERSON: What tips would you give information security leaders on how to win the support of management for investing in security technologies and strategies? Is compliance with the HITECH Act and HIPAA a strong enough motivation, or do CISOs need to spell out the potential costs of security risks more specifically?
FITZGERALD: Very good question. I believe that the compliance with the regulations typically provides the initial impetus. If we look back to when HIPAA first came out, there were a lot of committees formed and a lot of energy devoted to understanding it....I think as we get more subsequent regulations coming along, they are more seen as "add-ons" that we need to address and that get assigned to the different business units. One of the most effective ways to get senior management's attention is to have a security council that is made up by representatives of human resources, legal, the different business units, physical security, all across the line. That way, it provides a way to vet what those policies are and then those policies can get the approval at the senior management level. That is a very effective way to gain the attention of the right individuals, and also to get the grass roots support within the organization that is very much needed for the success of the implementation.
ANDERSON: Any final thoughts on how the roles of CISOs and other information security professionals are evolving in healthcare today?
FITZGERALD: Well I think healthcare is really a great place to be within information security, with all of the changes that are happening. If we look at the last few years with the movement into electronic health records, that is just going to be continuing. Interoperability is really the place where we are going to see growth within the healthcare security field.
ANDERSON: Thanks very much Todd. We have been talking with Todd Fitzgerald of National Government Services. This Howard Anderson of Information Security Media Group.