Governance key to making security progress

“Traditionally, the security guy is the bad guy. Historically, security has to kick open doors. Governance is the key to open those closed doors,” said Kim Sassaman, director of information security and HIPAA security officer, Presbyterian Health System in Albuquerque, speaking during a webcast on security governance hosted by the Institute for Health Technology Transformation.

“Security controls tend to lead to lots of frustration,” he said. Having others make the decisions, through governance, can alleviate some of that frustration and aid in adoption.

Governance is not “a bureaucratic red-tape committee,” but a “decision-making body that can prioritize your work,” said Sassaman. With a governance group prioritizing projects, “it’s harder for someone to come in and move targets around or disrupt your roadmap.”

Sassaman said his organization started by determining what the committee would try to accomplish, agreeing on which roles should be represented without creating a huge group and drafting a charter. The committee was named Ispot, or information security privacy oversight team.

Sassaman listed the following responsibilities of Ispot, which works as a collaborative group, not adversarial:

• Reviews emerging and existing risks
• Holds accountable department to mitigate risk
• Reviews and recommends remediation plans
• Approves policy
• Prioritizes efforts
• Escalates issues when needed

Regarding mobile device security, Sassaman said, “We put together a box of Legos they could play with. Any combination would be considered meeting regulatory requirements and ensuring a proper level of security.” He said the group came up with a very cost-effective solution and showed “how governance can and does work.”

The governance group also helps the organization get away from silo projects. “It can definitely be a wild rabbit you’re always chasing through the field. All things that touch on security come through that group so we have that accountability later.”

Sassaman recommended keeping it simple. “Never assume anything knows anything. When I bring concepts to this governance group, I try to overexplain so that everyone is on board. Security is complex but it affects everything. No one wants to own up to not understanding something.”

For example, he said to watch the language used in settings. “You can have all the education in the world but, ultimately, when you’re face to face, that all goes out the window.” He suggested using language that finance, compliance and legal people understand, not “IT language.”

Seek to clarify, he said, and don’t discount common courtesy. “Educate without being demeaning. Most of these individuals are interested--they showed up. Thank them for being there.” Be approachable and personable, he said, and “don’t be the dominant voice. Compromise is hard but necessary. Some security is better than no security. If you can get that inch great, because then maybe next year you can get another inch and slowly move forward. If you dig your heels in, you’re setting yourself up for failure.” Making trade-offs is a great approach, he said, because that helps build momentum.