How to hire and retain an expert security staff
According to the May 2016 Ponemon Institute’s Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data, one trend stands out that continues to constrain healthcare organizations in protecting their data: the difficulty in hiring and keeping security experts on staff.
The research found that 44 percent of healthcare organizations have not hired enough skilled security practitioners. It also indicates that there was a marginal increase from 33 percent to 37 percent for organizations that do have resources to prevent or quickly detect unauthorized patient data access, loss or theft.
Additionally, 57 percent of respondents said they have the personnel with technical expertise to be able to identify and resolve data breaches involving the unauthorized access, loss or theft of patient data. This is another marginal increase from 53 percent in 2015 and still illustrates a hiring gap.
Healthcare organizations may not be able to offer competitive salaries to lure top security talent compared to other industries such as banking, finance and insurance. So when hiring a qualified candidate isn’t a viable option and outsourcing isn’t feasible either, then the next best alternative is to develop and train the individuals currently on staff. Quite frankly, this should be happening already but the training budget is usually the first thing on the cutting block, assuming there is a formal training budget at all.
Enhancing the security skills and knowledge of the current staff can fulfill multiple objectives and requirements, including compliance with regulations that mandate security training, as well as providing improvements to the information security program through better execution and security decision-making.
Here are some best practice factors to consider.
- Develop a model for the desired information security competencies by reviewing the technologies used and security issues confronted by your organization.
- Assess the skills of the organization’s information security professionals against the desired competency model to identify gaps of knowledge and establish priorities for training the security team.
- Develop career development and training plans for each security professional based on their individual career goals and the organization’s identified gaps. This should include security skills training and vendor-specific product training.
- Review these career development and training plans annually and adjust based on the evolution of personal and company needs.
- Require each professional to attend a minimum amount of security-related training each year, depending on their role.
- Establish a mentoring program to assist in the development of individuals not currently performing at the expected level or migrating into a new role. Participation in communities like Information Systems Security Association and LinkedIn groups provide additional perspective and resources for engaging with peers.
- Encourage professionals to prepare for and complete the testing required to receive third party certifications such as the ISC2, ISACA or SANS Global Information Assurance Certification (GIAC) because they provide evidence of the well-rounded skills desired by the organization and, during the preparation period, will augment and enhance each professional’s security skills. Some have debated the necessity or usefulness of certain security certifications. But there’s no debating the assortment of certification-specific study guides, books and courses available that can help provide a structured learning experience for junior staff or a primer for those moving into security from a non-security role in the organization.
Adequate funding should be allocated to support attendance in security training courses. This task is co-dependent on having clearly defined security roles and responsibilities, which should be incorporated into the security staff training plan. Training and awareness of the regulatory obligations and requirements of the organization and having a comprehensive set of policies, procedures and standards should be incorporated into the security staff training plan.
Depending on the scope, this task can take as long as two calendar months to review and develop a required competency model for your organization’s security program. It can take another one to two months to assess the current security team members and develop career development and training plans based upon personal and organizational requirements. An average recurring expense should be $10,000 to $15,000 per security professional for training and development.
Your security strategy and execution is only as good as your people. Healthcare organizations that hope to adequately protect their data and ensure patient trust need to take seriously the training and development of security staff. You're competing with security vendors and consultancies that are often willing to pay a premium for the best talent today and are heavily investing in developing their ties to universities to find tomorrow's skilled hires.