.png?width=1816&height=566&name=brandmark-design%20(83).png "brandmark-design (83)")
In an open letter issued last month, U.S. Sen. Ron Wyden (D-Ore.) suggested that Change Healthcare and its parent company UnitedHealth Group bears responsibility for the ransomware attack that shook the healthcare industry earlier this year, because the CISO it employed at the time of the incident was allegedly inexperienced.
“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job,” Wyden wrote. This CISO, he continued, “had not worked in a fulltime cybersecurity role before he was elevated to the top cybersecurity position at UHG in June 2023…”
Whether or not Wyden is correct in this instance, the unfortunate reality is that cybersecurity talent is scarce and highly in demand, and there are many companies struggling to find experienced security leadership. Certainly, one would hope that companies playing a central role in the global supply chain would find a practiced and proficient CISO to helm its cyber program. But data breaches and ransomware attacks can be messy and unpredictable for even seasoned experts.
Rather than scapegoating the CISO, Wyden said that UnitedHealth Group’s CEO and board of directors are at fault for entrusting the company to a purportedly unqualified security leader. “The Audit and Finance committee of UHG’s board, which is responsible for overseeing cybersecurity risk to the company, clearly failed to do its job,” the senator wrote. “One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise.”
This opinion should cause corporate executives to think long and hard: What if we suffer a breach? Will we be accused of failing to hire the right person? What other options did we realistically have?
If enough companies think this way, this could further drive up the value and salaries of experienced CISOs who possess concrete job experience – creating even more financial competition to hire them. Other companies may elect to seek out CISO candidates with recognized industry certifications or university degrees, so at least they have “proof on paper” that their hiring decision was justified and with merit.
For other companies, especially without the resources to hire top-tier cyber talent, a viable strategy may be to more accurately identify and classify which security skills are most critical to develop within their IT environments, and then hire and/or upskill accordingly to meet those needs. To accomplish this, companies are encouraged to utilize helpful tools such as the NICE (National Initiative for Cyber Education) Framework for Cybersecurity and the European Union’s European Cybersecurity Skills Framework (ECSF). The frameworks help establish a common language for cybersecurity jobs, skills and functions, thus giving companies guidelines, around which they can create a prioritized hiring strategy.
Also, taking a cue from Wyden’s criticism, companies may also want to ensure that at least some board members or top business executives have a certain degree of familiarity with key cybersecurity issues so they can hire the right CISO and meaningfully communicate with that individual.
