The chief information security officer (CISO) position has frequent turnover, but CISO Ray Biondo has been balancing risk against business demands at Health Care Service Corporation (HCSC) since 2005.
"The secret to my success, because the lifespan of a CISO is probably about three years, is really taking the risk-based approach and making sure you engage the business and get their vote," Biondo recently told Information Week.
To do so, Biondo moved his CISO risk-management role away from fear, uncertainty and doubt toward open communication and education among peers.
"I wanted to present to them in business language, what the issue was," he told Information Week. "I'm educating the business about risk they never would have known about and also the IT executives, in some cases, wouldn't have known about."
Communication and education were both hallmarks of Craig Shumard's tenure as former CISO of Cigna as well, especially when it came to social networking tools.
And as organizational departments within health insurers--such as claims, underwriting and accounting--depend more on technology, IT security leaders must work together with department heads to leverage each other's skills and knowledge in tech investment decisionmaking, Insurance & Technology reported.
Various CISOs continue to collaborate with execs on technology decisions, but they can do better at working with other healthcare organizations. In fact, a recent cyber attack simulation conducted by the U.S. Department of Health & Human Services and the Health Information Trust Alliance revealed that healthcare organizations need to be more willing to share information and best practices, according to Kevin Charest, CISO at HHS.
The simulation also called out healthcare's biggest cybersecurity weakness: its inability "to coordinate and collaborate cybersecurity information among a myriad of healthcare companies that include smaller providers, diagnosis centers, medical device makers, hospital systems to payers," WellPoint CISO Roy Mellinger recently told CareersInfoSecurity.