So it looks like the broader business community is getting religion on cybersecurity--and it's about time. Organizations are finally considering the impact of not just regulatory oversight, but also of the true price of bad press. After all, what would you want to pay in order to keep your company name out of the headlines.
The cybersecurity game is all about risk management; assessing the liklihood of something happening, deciding what the consenquenses and cost of such an event might be, and weighing all that against the cost of various countermeasures that your organization might invoke to protect against the threat.
So if you've decided it's time to get down to really building your cybersecurity program, one of the place you can start is with the assessment. This naturally means understanding a couple of key issues; what is your risk tolerance as an organization, and how well do your internal processes stack up against a defined standard or security framework.
There's lots of options out there for frameworks to choose from, but it's always best to consider what organizations similar in size and complexity to your own are up to. For those who go the ISO route, consider ISO 27000-series security frameworks. If your organizational focus is more in North America or if you are a smaller entity looking for a good standard that's easy to understand and actionable, consider the NIST framework.
Oh, and don't think of this as a once-and-done kind of exercise. Your organization should design and implement a regular review/renewal cycle of risk assessment. Keep on top of what concerns you the most because you'll find that over time, the threat environment evolves--something rapidly. And when the chips are down, that's NOT the moment to start thinking of ways to address risk.
Seeing risk for what it is
“Can I get that in writing?”
Taking on systems one blockchain at a time
Systems professionals with a deep understanding of the regulatory environment in healthcare (or banking, frankly) are best equiped to devising and adapting the most favorable attributes of blockchain design to suit industry data-processing needs. To that I might add that a deep understanding of optimal process would also come in very handy.
We have long struggled in heath care to determine what "optimal" workflows really look like. Hospitals and clinicians look to the software vendor to provide efficient data-processing solutions, but software companies rarely have any real understanding of HOW care is best provided. Mostly, the vendors just know what functionality is MOST POPULAR with their customers--hardly a good substitution for optimized processing of data based on optimized understanding of care.
The resulting systems, no matter how beautifully tricked out with functionality, are incredibly rigid and are difficult to modify, or worse, transfer into newer systems as growth and market evolution inevitably demand. Our legacy systems really can't keep up with the enormous data growth we expect to see in information processing. Add to that the cost of cut-over into next-gen systems, seen against a background of exacting regulatory oversight, and suddenly you understand why banking and healthcare entities would rather "fight than switch," at least as far as systems go.
This is where, I believe, blockchain might be a truly innovative disruptor. One of the curious aspects of blockchain is that the history of the transaction becomes part of the record, whether it's a banking record, a unit of currency, or a healthcare record.
If we were to tuck the history of the transaction right into the transaction itself (and provide interested stakeholders in a shared use of and access to this history), it's easy to see that an organization's core processing system might well be "set free," to a certain extent, from maintaining the large (and ever-increasing) sea of information. Instead, the processing system will focus more on the transformational aspects of the entity's business and the "value-add" that the organization brings to the data.
Banking and healthcare are two marketplaces where regulatory oversight is significant and increasing. Whatever benefit we might see in blockchain, and I suspect there is great potential value there, we need to be keenly aware of HOW we best accomplish our work in healthcare, and how we do so WITHIN the given regulatory environment. Professionals with experience in these critical areas will be most suited to developing and exploiting the promise of blockchain.
Cashing In on Process...
We all know that security organizations benefit greatly from properly documented procedures. After all, who among us has ever forgotten that one item we went to the grocery store for in the first place? Lists work...
There are a number of issues that you might want to focus on in the world of policy and procedure, so here's a place to start. Take the time to actually document functional procedures. This means taking stock of security controls that you employ, and drafting procedures that reflect how things actually get done.
This can be easier than it looks, but with a structured approach, you should be able to find a good many of the day-to-day procedures lurking in your organization. Don't be surprised to find that there are lots of opportunities for standardized behaviors... and lots of evidence that things are happening in a "customized" approach pretty much everywhere.
Organizations worry about the time and expense of documenting standard work processes, but these same entities will invest extraordinary amounts of time looks for small economies of scale to achieve modest but real increases in productivity. Think of standardized work as just another way of achieving predictable outcomes; ones that can actually help your organization's bottom line.
Training versus Education
For all the effort we put into securing our corporate systems from a technical perspective, it's still the case that the bulk of the effort associated with a comprehensive security posture relies on helping our people understand their role in security efforts day by day.
For this reason, security training programs have been implemented far and wide, but does training really fit the bill? When we talk about training, we are really referring to rote repetition of concepts, ideas, and steps in process. This can be very helpful when teaching your staff the value of a check-list to ensure that each step was completed, but what about when the end-user needs to actually interact with the situation and make a decision?
This is where education takes over... When we teach ourselves how to evaluate the evidence at hand and make a decision, that's the heart of real education. The best way to educate your workforce on security concepts is to give them the tools and information, and then step back and let them teach themselves.
This requires more preparation on the part of the instructor, but it will empower your workforce to evaluate the situations they encounter every day and make effective choices... and wasn't that the whole point of the exercise in the first place?