Consider context when building IT security program

BOSTON—Health IT security is a conversation that largely remains in the technical domain rather than strategy, said David Ross, general manager of General Dynamics Commercial Cyber Services, speaking at the 2015 Privacy and Security Forum.

“Business leaders are more aware of cyber risk but struggle to connect cyber issues to business impact," said Ross. "Vendors are responding with technology and intelligence data. Are we keeping up?”

Cyber venture funding deals were occurring at a rate of one a day in 2014, and in 2015 the worldwide intelligence services market hit $1 billion. However, there is a cybersecurity gap given the increasing rate of incidents, Ross said.

There are “more tools than you can shake a stick at” but technology is not enough. “You need the people and the processes.”

The people bucket can be challenging, he said, because there are more roles open than ever for cyberprofessionals but there aren’t enough available.

Ross said there are three different contexts that are important to consider. IT context is where most companies spend all their time and effort. “That is important but there’s more to the problem. To be world-class, you have to look at the business context.” For example, hospitals are different than payers in terms of what systems are connected and how people use the systems. Lastly, external context covers the market conditions and regulatory environment. Ross recommended organizations that want to build a security program should take all three into consideration but address each separately.  

The different contexts are important because “building castle walls doesn’t work. You have to actively defend,” said Ross. Organizations must use security information to continually improve security. “Do you use what you’re seeing and finding as input back into your process? Don’t just plug the hole in the dyke. This agile methodology is more efficient than trying to buy your way into better security.”