“We want to use this data to create a dashboard that gives companies an understanding of where they sit within the healthcare industry,” Stafford says. By collecting survey data from IT leaders in healthcare, the project is intended to establish a common set of metrics and create a baseline of where the industry stands.
IT Leaders Need Context for Their Security Efforts
The purpose of the survey, Stafford says, is to give IT leaders a clearer perspective on how their security efforts compare with the healthcare industry as a whole. For example, if an organization’s anti-phishing program aims to reduce the likelihood that users will click on a suspicious link in an email, knowing that the organization’s click rate is 1 percent is useful. But knowing that the industry average is 5 percent provides context that shows the organization’s anti-phishing efforts are more effective than the industry average.
Establishing this context has been challenging for several reasons, says Steve LeBlond, vice president of information services and COO of the IS division at Ochsner Health, which is working with CDW on the survey. As a practice, cybersecurity is relatively young, LeBlond says, pointing out that just 10 years ago, few organizations had a CISO position within their corporate structures. In addition, the industry has not established a commonly accepted set of security metrics that should be measured, and, in general, organizations are reluctant to share data about their security efforts for fear of giving cybercriminals information that could be used against them.
Ochsner has built a dashboard that gives the health system’s IT team a clear look at how it is performing in security domains relevant to the National Institute of Standards and Technology’s Cybersecurity Framework. But while the dashboard can tell Ochsner’s IT professionals how many of the company’s endpoints may not have anti-virus software installed, it doesn’t provide any idea how this performance stacks up against the rest of the healthcare industry. LeBlond sees this as a serious challenge. “We’re always working to improve,” LeBlond says. “But without a baseline to reference, we don’t have objective information on how much our efforts have improved our position relative to the industry.”
Taking Measure Against Security Challenges
Every organization should know where it stands on a number of fundamental security metrics. The CDW survey will provide this perspective. IT leaders responding to the survey will report their performance on metrics such as the percentage of unknown devices logged on to their networks versus known devices (a measure provided by many network access control solutions). Other measurements will include the average number of critical vulnerabilities discovered by penetration testing, the percentage of servers that are backed up in the last 24 hours and the percentage of employees who have completed security training. Organizations that participate in the survey will have detailed access to the results.
Ochsner’s IT team reports its performance on these and other metrics to its board of directors every other month. Once the CDW survey is complete, it will provide a context to the board that demonstrates how the IT team is performing compared with the rest of the industry. This information is particularly useful for healthcare organizations looking to prioritize their security investments and efforts in the future.
“Once CISOs have this information,” Stafford says, “they’ll be able to go to their CEOs with a clearer idea of how they think the organization should move forward.”