Why filling data security jobs won’t get any easier for providers
If 2016 and the first seven months of 2017 have showed us anything, it’s that the cyber risks in healthcare are serious and growing.
For the first time ever, the number of reported breaches involving hackers has outpaced other traditionally prominent threats like insiders and theft of devices—while, at the same time healthcare continues its journey to becoming a truly information-based business.
Networks, systems and data are critical to healthcare delivery and represent one of the fastest-growing and largest investments that healthcare organizations make each year. At the same time, we still struggle as an industry to find and retain the skilled resources necessary to build and manage cybersecurity programs to effectively protect this investment.
Many health systems suffer from geography or locational challenges in attracting talent. Some face strong competition through proximity to other industries willing to pay more. If that weren’t enough, all are faced with shrinking reimbursements, new payment models and nervousness over changes to the Affordable Care Act that could affect Medicaid.
All those factors combined have caused many health systems to curb hiring at a time when they need it most. Some are finding short-term solutions in virtual CISOs and other information security specialties provided to fill critical gaps in staffing through contracting. Healthcare faces some significant challenges in attracting, recruiting and retaining cybersecurity talent.
According to the latest estimates there are well over 1 million vacant cybersecurity positions across all industries today, and this number is expected to soar to nearly 2 million by 2019. As a result, the current supply of cybersecurity professionals is well under the demand, making them highly mobile and giving them a considerable advantage in negotiating compensation.
LJ Kushner, a very successful recruiting firm for cybersecurity professionals, has placed CISOs in jobs that pay in excess of $300,000 in compensation. That is a level of pay for which many in healthcare aren’t prepared. This shortage of skilled staff, plus the premium that has to be paid to hire these resources, have created considerable challenges for healthcare, which is already dealing with other major financial concerns.
However, failure here is equally untenable, as the cost of breaches continues to rise, and recent destructive and disruptive attacks, such as Wannacry and Not Petya, have focused a searing bright light on the importance of having good cybersecurity, especially for an industry that relies on information and systems to accomplish its mission.
The Department of Health and Human Services Cybersecurity Task Force highlighted the need for more cybersecurity talent in healthcare and discussed ways to develop this talent for the future. However, the challenge is that we need this talent now, and it will be many years before there are enough people with the requisite skills to go around. The answer in the short term is having the right partner or partners.
Geography plays a critical role in the search for and recruitment of skilled cybersecurity resources, as this workforce has many options for where they want to live and what career in which industry they want to pursue.
Healthcare systems in rural areas of the country, like states in the central part of the country and the South, often find themselves competing with health systems in more populated states or big cities for the same resources. Getting someone to move to the rural areas of Wyoming, the Dakotas, Minnesota, Arizona, Texas, Louisiana or Mississippi, for instance, can be a real challenge. One hospital in rural Wyoming spent three years recruiting before finally giving up and contracting for a virtual CISO, and another in rural Northern California had a similar experience.
The challenges facing health systems in more populated areas can sometimes be no less difficult. The pool of available candidates may be larger, but salary costs are usually higher, as healthcare competes with other industries nearby that have the same needs. When healthcare organizations decide to develop the expertise by training in-house people, they frequently lose these individuals shortly after they become barely capable. Oftentimes, they’re losing these newly trained individuals to the same companies with which they are already competing for cybersecurity talent, and those local companies are willing to pay more.
The other retention challenge hurting healthcare is the lack of organizational support for the position or the cybersecurity program itself.
Cybersecurity professionals are different than any other group. One of the things most important to them is being in an organization that takes data security seriously and demonstrates it with leadership and budget. Many cybersecurity professionals have left other industries for healthcare only to leave again—not because of more money, but because of lack of support for their job.
However, the good news is that cybersecurity professionals as a group tend to be very excited and committed to their profession, and they often seek challenging positions with the potential for learning, new experiences, organizational support and the opportunity to make a difference. Many are seeking an opportunity to lead their own security program and to have the title of CISO.
For healthcare to compete for the scarce cybersecurity resources that are available, it will need to embrace higher salary expectations, create challenging work environments with rewards, and look to alternative compensation strategies to add value when competing with the technology giants, the financial sector and the government.
Often hiring a temporary resource can help overcome short- or long-term restrictions on staff growth or help to acquire an individual with a specific skill set just for the time needed. Acquiring services with or around certain technologies or functions also can lessen the stress associated with recruiting and retaining staff and provide the benefit of deeper expertise, protection during turnover and access to a broader knowledge base.
Alternatively, a hybrid strategy that incorporates the right strategic partners for resources, managed services and other security operations can enable them to build a larger-than-resident security organization that incorporates timely support with deep industry expertise, experience and know-how, without the long-term cost associated with fulltime employment.
Recruiting, hiring, training and retaining experienced cybersecurity professionals is not expected to ease any time soon. Having a smart strategy of the right mix of internal and external resources is one way for healthcare entities to make sure they are not alone in this fight.