As I travel the country talking with health systems about their security programs, I can’t help but notice that lately there has been an increased focus on security talent.
I often find myself in conversations about how to attract and retain sufficient talent to run a comprehensive security program. These discussions encompass the entire security organization from Chief Information Security Officer (CISO) to analyst. This industry-wide challenge is validated with a simple search on healthcare security openings on LinkedIn.
Many of the healthcare leaders I talk to have interviewed and even made offers to numerous CISOs — only to come up short. These discussions very quickly turn to, “Why am I having such a challenge finding a CISO?”
There is no simple answer and the fix tends to be different for each organization, but what I can tell you is that healthcare security professionals are in high demand. Let’s unpack this issue a bit further.
If well-qualified, experienced CISOs are in high demand then they will have numerous options for employment, right? Wrong. A strong CISO is not looking merely for a place of employment; they are searching for an organization that is serious about increasing their security posture. Articulating your organization’s commitment to security during the hiring process is where most organizations fall down and, thus, lose the interest of top CISO talent.
Health systems must realize that they are competing against large corporations and fast-paced technology companies that have already made solid commitments to security.
Moreover, these companies lay out a security vision during the recruitment process that comes from the top of the organization and is well-articulated. In order to compete with these organizations when searching for a CISO, you must be able to communicate your organization’s vision for security, the resources that they will have at their disposal, and any available capital.
Most available CISOs seek to join a place where they will be well-equipped to make a difference in the security posture of the organization and make a positive impact. The first step to solving your CISO talent problem is to first craft a vision for your organization’s security program and then be prepared to articulate it throughout the recruitment process.
A natural follow-up question I receive is “How do I do that? I need the CISO to craft the vision for me.” While I certainly understand the question, I like to remind folks the different between a vision and mission. Talented CISOs are looking for a security vision that the health system takes seriously and has buy-in at all levels. From there, the CISO can craft the mission, rally the troops and ultimately increase the security posture of your organization. Without this, they will forgo the position to join an organization more committed to security.
As you roll down the organizational chart, the talent challenge becomes much more tactical. Analysts are searching for an organization that will help them develop their talents and expose them to cutting-edge security tools. For organizations with a limited security team, this is a big challenge.
My answer to the challenge is a very simple question: “Are we fighting the right battle?”
If health systems struggle with finding security talent, keeping security talent and providing continuity to their security program, should they keep fighting the war on talent or seek alternative business models?