“One of the possible reasons for UHG’s negligence, and the company’s failure to adopt industry-standard cyber protections, is that the company’s chief cyber security officer appears to be unfit for the job. [Name omitted] he had not worked full-time in a cybersecurity role before being promoted to the top cybersecurity role at UHG in June, 2023, after serving in other roles at UHG and Change Healthcare. Although [the CISO] he has decades of experience in the field of technology, cybersecurity is a specialized field, requiring specific expertise,” the Senator wrote. “Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the world’s largest healthcare company should not be someone’s first cybersecurity job.”
Right or wrong, the book shows how many executives misperceive the CISO’s role as the head of the Security Operations Center or someone who oversees information security strategy. It has evolved into a much broader role and the greatest benefit comes from persuasive skills. Technical skills are relevant, but if a hiring manager must make a trade-off when hiring a CISO, which trade-off should be made?
“We have reached a point where no one is qualified enough to be a CISO. We ask these people to be experts in cybersecurity, information technology, data privacy, AI, governance, risk, compliance, and business. Although they are rarely lawyers, we want them to be able to interpret and comply with a wide range of frameworks, industry standards, state, federal, and international laws,” said Brian Levine, Ernst & Young managing director in charge of cybersecurity. “Although we don’t leave them with enough opportunity to learn, we want them to keep up with the technology that changes every day. Although they are technical experts, we also need them to be top managers – to be able to manage global vendors, employees, contractors, consultants, managers, and board members. CISOs do their best, but no one can live up to these standards.”
Source link