A vCISO usually works offsite, away from the rest of an organization, notes Jason Kemmerer, solution architect at Forcepoint.
“A virtual CISO is an executive who is responsible for the oversight of an organization's security initiatives related to its data, technology and people,” Kemmerer says. “The difference being that the executive is primarily remote and may not be located in the same city as the organization’s headquarters or remote campuses.”
Hiring a vCISO is a good choice if an organization spans several regions and cannot find a cybersecurity professional who meets the organization’s needs in the health system’s geographic area. It’s also a way to find healthcare-specific cybersecurity experience, Kemmerer says.
A vCISO collaborates with an internal security team at a health system to develop a comprehensive cybersecurity strategy that involves “setting goals, defining priorities and aligning security efforts with business objectives,” Kemmerer says.
In addition, vCISOs also handle risk management and assessment, compliance and skill development. A key aspect of the vCISO’s role involves incident response planning, Kemmerer says.
A vCISO should “develop an effective response plan and ensure it’s regularly reviewed and tested to ensure readiness for a security incident,” Kemmerer says.
Sometimes an organization that has just launched will begin with a vCISO, and then regulatory requirements will lead them to hire an internal CISO, according to Sergile.
How Can Health IT Teams Benefit from a vCISO?
For healthcare customers, Sergile acts as an internal CISO to run security programs, manage staff and make key decisions. During his first two weeks at one engagement, the organization suffered a data breach, he recalls.
“I basically had to hit the ground running, and within those first two weeks, I stood in front of a panel of cybersecurity insurance providers and explained what our plans were for the next six months,” Sergile says. “And even after having a big breach, they were still able to get cyber insurance.”
During this experience, Sergile helped the organization with its cybersecurity strategies based on HIPAA requirements as well as security and privacy controls published by the National Institute of Standards and Technology in NIST SP 800-53. He identified where the organization had gaps and helped it fine-tune its security plan.
A vCISO in healthcare often steps in when a security leader leaves or when the healthcare system needs help in recovering from a breach. In fact, a healthcare organization may decide to furlough the security leader after a data breach and hire a vCISO, Sergile says.
“If there is a time where somebody leaves an organization, that’s kind of a big deal for most healthcare organizations, because that oversight is required under HIPAA, and you want something to bridge that gap and provide continuity,” Sergile says.