Leadership, Governance, Risk and Compliance, Risk Assessments/Management

Attracting, retaining healthcare CISOs: Maybe it’s not a money problem

A medical technologist processes test samples for the coronavirus at the AdventHealth Tampa labs on June 25, 2020, in Tampa, Fla. (Octavio Jones/Getty Images)

All sectors are facing cybersecurity staffing shortages with the latest data showing the U.S. cyber workforce needs to increase by 65% to protect critical infrastructure. But for healthcare, the challenges are more severe: three out of four hospitals operates without a designated security leader. Those roles are then handed to IT or compliance officers.

From an outside perspective, the reasons for these shortages would seem related to budget constraints. After more than a year of battling the COVID-19 pandemic, many hospitals and health systems are operating with fewer staff overall and facing staggering financial challenges.

Data from the American Hospital Association estimates the net financial impact and collective losses tied to COVID-19 hospitalizations from March to June 2020 alone will be $36.6 billion. And the total does not include the estimated $161.4 billion in lost revenue from cancelled surgeries and other services. 

The losses provide just one example of healthcare’s resource challenges and does not include the impact of other events, such as natural disasters and cybersecurity events that lead to network downtime — and further lost revenue.

But longtime healthcare veteran Mac McMillan, CynergisTek CEO and president, says financial compensation for security leaders is not the leading cause of the sector’s challenges with attracting and retaining chief information security officers and other cybersecurity leadership.

“Everyone thinks [the problem] is money, and certainly, salary has a bearing, but it isn’t the case,” said McMillan. Many cybersecurity candidates for the healthcare sector are willing to be paid a little bit less, and “in most cases, those in healthcare are being paid less than their peers. But that’s OK, as long as there are other things that compensate.”

Instead, the trouble appears to lie with a lack of board support and an underwhelming culture of cybersecurity within the enterprise. 

In McMillan’s experience, the disgruntled or unhappy healthcare security leaders feel as if the organization is not providing them with the needed support and failing to commit to doing the right thing to keep the provider organization secure.

The second leading frustration is tied to a lack of resources needed to correctly do the job. Meaning, the security leader understands what needs to be done and has the ability to accomplish the task, but the board or other hospital leadership is not providing the resources.

“It wasn’t that they had to be lavished with support or overly resourced, although they would love that,” said McMillan. “It was that they didn’t have the least of the things needed to do a good job because they don’t want to fail, nor do they want to be part of a program they know is going to fail or going to have an issue because they can’t do all the things that they need to do.” 

Compensation for healthcare security leaders, from McMillan’s experience, ranks as the third most pressing issue.

Remote work opens doors, industry posture creates hurdles

One major benefit of the pandemic felt through all sector was the adoption and further expansion of the remote workforce. In particular, rural healthcare has struggled to attract and retain cyber talent due to their location.

But with the normalization of the remote workforce, the Impact Advisors’ Security Team: Vice President Mike Garzone and Senior Advisors Barbara McClung, Marc Johnson, and Stephen Collins, feel that healthcare has been given a renewed opportunity to tap into cybersecurity workforce members they may not have been able to access before the pandemic.

“Markets — or the physical location — often have had a historic impact on compensation and talent retention,” said Impact Advisors leaders. The dramatic spike in the remote workforce “exponentially expands the recruiting reach for healthcare organizations, and it also expands the potential employer pool for individuals.”

“Both factors have created new competition in the job market.  Hospitals that had been limited to recruiting within their zip code, now have access to talent and are willing to pay more for skills that are not locally available,” they added. And “talented individuals can now seek the most attractive compensation models and growth opportunities regardless of where they reside.”

It’s an especially significant shift, as other sectors historically utilize top talent through attractive compensation models and other benefits.

The challenge is that not only is healthcare dealing with the financial impact of the pandemic, many healthcare workforce members are dealing with a tremendous amount of fatigue. From overwhelming patient volumes and operating expenses, to dramatic increases in devices and remote endpoints, Impact Advisors warned there’s an even greater number of stressful workloads.

"There's a real and significant issue of fatigue," said Impact Advisors leaders. "During the pandemic, we witnessed many organizations reducing operating expenses proportional to operating income. Patient volumes, however, have increased and the threat landscape has accelerated. This has created stressful workloads for fewer people with more to do to maintain operations."

With support, healthcare is the ideal challenge for security leaders

Another hypothesis posed by stakeholders says that healthcare’s struggles with cyber talent retention is due to its unique threat landscape, an overabundance of vendors and access points, troves of IoT and medical devices, and regulatory burdens. It may appear as if healthcare has too many hurdles to overcome to attract talent, but those challenges are actually a benefit.

But to McMIllan, the healthcare sector poses the ideal environment for cybersecurity leaders looking for a real challenge.

“The more complex the job, the more interesting, the more challenging, that’s what tends to motivate them,” said McMillan. “Every cyber person is a pseudo superhero with a cape, in disguise. They feel they’re saving the world. That’s their motivation: beating the bad guy.”

“But what demotivates them is when they're faced with all of that, and there's no support and no resources,” he continued. “Because they keep coming up against these things, and they know they’re going to fail because they're not going to get the support.”

The lack of resources doesn’t just refer to technology or the budget to buy tools, but failing to provide security leaders with the people they need to get the job done. McMillan explained there are still a fair number of large health systems with security teams made up of just three people.

Healthcare is failing to keep cybersecurity leaders because they expect the few members they have to manage 80 to 100 tools, which “is wholly unhealthy.”

If healthcare hopes to attract talent to their organizations and take advantage of the expanded remote workforce candidates, hiring leaders need to change the narrative during the hiring process to drive the intent and culture of cybersecurity within the enterprise.

Further, the hiring team should include leadership from across the enterprise to demonstrate the importance of cybersecurity across the enterprise and to strengthen the narrative that the leader will have the enterprise’s support in security initiatives.

For McMillan, the hiring team should emphasize the dynamic environment, including the long list of different, equally important tasks and data to protect. Essentially, the team should stress that they’re” looking for someone up to the task.” Frame the discussion in terms of the challenges and rewards, able to help these potential leaders grow and enjoy the tasks in the process.

“The rewards don’t just mean money, but rather the sense of accomplishment,” said McMillan. “All of a sudden the money isn’t quite as important as before. Because if you go to Microsoft or another big company, you’re one of many. If a cybersecurity employee comes to healthcare, nine times out of 10, they’ll be the point person.”

As such, the narrative should center on running the program or being in charge, coupled with driving change and making an impact within a challenging environment in an industry critical to the nation — and on every hacker’s hit list. McMillan explained this narrative is what attracts real talent, the true “superhero genes.”

For the most part, cybersecurity folks aren’t looking to be another cog in the wheel or an analyst in a group of analysts, they want to take charge of their own program. McMillan stressed that if healthcare can frame the mission within this context, it can gain the needed talent to strengthen the sector

“The companies successfully attracting and retaining employees place a great deal of importance on culture and how employees are valued and treated,” said Impact Advisors’ leadership. “Organizations that continually work to improve career development, access to training, work/life balance, recognition programs, inclusion, and respect are a step ahead of possible competitors.” 

“Creating a positive work environment with fair and equitable compensation is important but combined with culture and a dedication to a mission that improves the health of our population, organizations can create competitive differentiation,” they continued. “Organizations need to acknowledge the commitment and tenure by finding impactful ways to reward it.

Healthcare may not be able to provide the same benefits or environment as the tech giants or other Fortune 500 companies and shouldn’t attempt to compete. Instead, they should seek the talent looking to lead and make a difference in an industry that desperately needs change.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.