“One probably purpose for UHG’s negligence, and the corporate’s failure to undertake industry-standard cyber defenses, is that the corporate’s high cybersecurity official seems to be unqualified for the job. [Name omitted] had not labored in a fulltime cybersecurity position earlier than he was elevated to the highest cybersecurity place at UHG in June, 2023, after working in different roles at UHG and Change Healthcare. Though [the CISO] has many years of expertise in expertise jobs, cybersecurity is a specialised discipline, requiring particular experience,” the senator wrote. “Simply as a coronary heart surgeon shouldn’t be employed to carry out mind surgical procedure, the pinnacle of cybersecurity for the biggest well being care firm on this planet shouldn’t be somebody’s first cybersecurity job.”
Proper or fallacious, the letter illustrates what number of officers incorrectly see the CISO position as the pinnacle of the Safety Operations Heart or somebody overseeing cryptographical technique. It has developed to be a far broader position and far of the worth comes from persuasion expertise. Technical expertise are applicable, but when the hiring government should make tradeoffs when hiring a CISO, what trade-offs must be made?
“We’ve gotten to the purpose the place no one is sufficiently certified to be a CISO. We’re asking these folks to be specialists in cybersecurity, data expertise, knowledge privateness, AI, governance, threat, compliance, and enterprise. Though they’re hardly ever legal professionals, we would like them to have the ability to interpret and adjust to myriad frameworks, {industry} requirements, state, federal, and worldwide laws,” says Brian Levine, managing director at Ernst & Younger overseeing cybersecurity. “Though we don’t go away them with adequate time to learn, we would like them to maintain up with expertise that’s altering every day. Though they’re expertise specialists, we additionally want them to be stellar managers — to have the ability to handle international distributors, staff, contractors, counsel, executives, and board members. CISOs are doing their finest, however no one can actually dwell as much as these requirements.”
