Security remains top of mind for organizations across Canada from IT leaders all the way up to the executive boardroom. Here in British Columbia, there is annual event called the BC Aware Campaign which is meant to educate the broader community on today’s modern cybersecurity challenges.
Oliver Grüter-Andrew is the CIO of the Provincial Health Services Authority (PHSA), Vancouver Coastal Health (VCH) and Providence Health Care (PHC) in British Columbia. He will be participating in a panel discussion put on by the Vancouver chapter of the CIO Association of Canada. The three health organizations for which Oliver has IM/IT responsibility have a combined workforce of over 95,000 staff, physicians, nurses and volunteers.
PHSA’s primary role is to ensure that British Columbia residents have access to a coordinated network of high-quality specialized health care services and also operates provincial agencies including BC Children’s Hospital, BC Transplant, and BC Cancer Agency. VCH and PHC provide hospital and community care services in BC’s Lower Mainland, as well as a series of specialized tertiary services for all BC residents. All three organizations have an extensive research and teaching focus.
I spoke with Oliver to get his unique leadership perspective and insight across of variety of topics related to cybersecurity – from education to investment.
Brian: What current threats are driving investments in security?
Oliver: “In healthcare, we are concerned about many of the same security threats that also affect other sectors: there is a significant rise in phishing attacks that aim to take over an identity to access confidential files. The objective of the attackers is to obtain personal identity or credit card information that has resell value in their market place. We are also concerned about accidental release of personal information by those duly authorized to access it, as a result of inappropriate storage or handling of the data. In response we need to take a number of diverse measures: I believe that education of our system-user community is the most critical key, with regular communication about security risks, how to see and avoid them. In addition, we need to put in place appropriate technology safeguards. But the need for security has to be balanced with the need for legitimate access to data without onerous barriers. This drives the case for investments in more sophisticated tools that help us differentiate rightful access from hacking, and facilitate secure sharing of sensitive information without being a barrier to collaboration.”
Brian: How can IT executives justify their cybersecurity investments….before they get hacked?
Oliver: “Regrettably there are now a number of significant breach examples in every industry so that IT executives can tell the story of very real risks to their Boards. Steady media coverage of emerging cyber threats also helps elevate the risks in the minds of those whose approval to invest is required. The key is to tell a balanced story that is not descending into hysteria, but which is based on risks we can substantiate. No organisation can afford all the investments it could possibly make to better secure the data in its custody. Therefore, a solid understanding of the risks and a risk-based approach to investment prioritization is required.”
Brian: How are you dealing with the security skills shortage and balancing internal versus external resources?
Oliver: “Information security is a rapidly growing industry that holds significant career opportunities for IT professionals. A key to dealing with the skills shortage is to invest in our existing IT professionals who have the interest and aptitude to develop into IS experts. The added advantage over brand-new hires is that a critical element to successful IS risk mitigation is a deep understanding of an organisation’s systems landscape, which is typically available with existing staff. In addition to cross-training current staff, we see increasing opportunities for partnerships with third parties. As the IS industry has expanded, the number of companies offering services has increased and their delivery maturity has improved. The key here is to ensure that architectural and solution design skills in information security remain in-house, while execution skills such as penetration testing and security solution implementation can now frequently be provided by a partner.”
Brian: What role can audit and compliance requirements play in garnering cybersecurity spend?
Oliver: “Audit and compliance can play a critical and highly constructive role, if the relationship with the IT department is set up as a partnership. Auditor skills have steadily shifted to understand methods for risk assessment and prioritization, and IT auditors can bring a deep understanding of regulatory and practical security requirements. I think it is critical to engage an Internal Audit department at the very outset of system design and security thinking, to agree the level of protection required and the measures by which we assure this protection. This allows the IT teams to implement the systems according to agreed-to security standards, and for the eventual security audit to be a verification of design implementation, rather than an exercise in gap-finding that leads to unplanned costs, delays and frustration.”
The BC Aware Campaign 2016 is a “call to arms” to draw focus to the inherent risks associated with cyberspace, and to offer simple, practical advice on how to minimize exposure to these risks.