In this interview, Wes Farris, Information Security Officer for the Harris Center for Mental Health and IDD, discusses how to evaluate the effectiveness of cyber security tools, how to remain in-sync with your board, and keys to cyber security and career success.
Did you miss part 1 of this interview? Click here.
How do you engage with and get buy-in from diverse groups of stakeholders?
I obtain support from my peers in IT first. Learning about a new technology together, I’ll engage the prospective technology vendor and lead a proof of concept project so that we can vet the technology in our environment before we go any further.
Once we do that, and I have consensus among the leadership in the IT department, including our CIO, I work with other internal departments to support the procurement of new technologies. We take all of our stakeholders into consideration; IT leadership, our customers in clinical leadership, and our clinical workforce members. We must consider whether a technology will make their jobs easier or more difficult.
If a technology will hinder our effectiveness as a clinical service provider, I will usually disband the project, no matter how well it works from a back-end or security operations perspective. I always try to balance security controls with improving customer workflows.
How do you assess a technology and what criteria do you apply to determine that a tool or security product is powering improvements? Conversely, how do you determine that a tool isn’t working?
Business requirements, such as improved clinical workflows, data as a service, or work-from-anywhere, will drive our path forward.
We test information security implementations inside the IT department first, including our health informatics and clinical informatics groups. They help us test new technology impacts on existing clinical workflows. If we can prove value and minimal negative impacts to clinical workflows, we will expand testing and discuss procurement and operationalization.
What are the key elements required for success when presenting programs to the board?
I will have already gone through a proof-of-concept that allows us to prove and demonstrate that the technology that we’re proposing to implement will accomplish our operational goals.
Post proof-of-concept, we will engage our purchasing and procurement departments to perform due diligence and verify that we are in compliance with policies, procedures, and regulations. Once all internal stakeholders are in alignment, we will present the project to the board.
What do you see as happening across the next year in terms of technology change, and what will you be doing to shape that change?
We will continue to embrace cloud computing, Platform-as-a-Service. We will thoroughly support the ‘work from anywhere’ model. We’re leveraging a number of different technologies to accomplish that at the moment. Check Point is a big part of that.
What advice do you have for other ISOs or CISOs when it comes to building the best cyber security program possible?
One of the biggest successes across my entire career has been embracing cutting-edge technologies. Take the time, do the research. Do as many proofs of concept as you can to investigate new technologies and maintain and grow your technical skillset. Many advertised solutions look good during lab demonstrations and still do not prove value in your specific IT environment.
Something else that has been vital to me in my career is actually building partnerships with my value-added resellers and the software and hardware manufacturers that we partner and do business with. Our partners have helped us during security investigation and issue resolution and have been extremely valuable during implementations.
Try to balance leadership responsibilities with remaining technical. Try to stay involved with technology implementations and security operations. Round with your managers, administrators, and analysts. Empower your teams to share their opinions on how to improve processes and workflows.
Is there anything else that you’d like to share?
Continually selecting, evaluating, and championing emerging security technologies has been one of the most effective processes that I’ve leveraged across my entire career. Prioritizing the modernization of our security stack has multiplied our operational efficiency.
I really take leading empathically with compassion and focusing on the human elements of the job quite seriously. I’ve found it not only a more effective way to lead, but also a much more fulfilling approach to life. Focusing on communication and relationships has improved the culture in our department and fostered teamwork. We have happier teams and a more pleasant and productive department as a result.
I’ve been in healthcare cyber security for almost 20 years now, and I can look back at myself and see how much I’ve grown personally. Focusing on personal growth has empowered me as a professional and leader. When we prioritize personal growth and self-care, we are stronger and have more energy and insight to invest in our family, organizations, and community.