THE UNIVERSITY OF KANSAS HEALTH SYSTEM
throughout their development . Within 6 months , you can have a highly competent and driven cybersecurity professional . So we look at non-standard backgrounds , because frankly , we ' re all competing for the same people who have those ‘ standard ’ cyber backgrounds .”
With staff turnover below 10 %, the health system had achieved results exceeding the industry average .
Adopting cyber risk quantification practices Being able to speak the language of the organisation in business terms is key . In the case of the health system , it has driven the adoption of Cyber Risk Quantification , which looks at potential loss scenarios to understand the probability and cost of that event . With data behind them and a structured approach toward measuring the inherent uncertainty of risk , the cybersecurity team is able to communicate risk in the universal language of money .
“ Everyone understands money . Everyone understands an annualised loss exposure and a loss exceedance curve . We want to remove the dark security magic out of security communication and start communicating like a business executive . That ' s been an important piece for us and for our health system leadership : to be able to understand cybersecurity risk in business terms without having to take a cybersecurity crash course .”
Meis acknowledges that risk awareness has fundamentally changed the way they think about cybersecurity , shifting from just a technology problem to one of overall business risk : “ It puts your organisation in its entirety at risk , if it ' s a large enough attack . There was a news story recently where we saw a small university that experienced a ransomware attack and was unable to completely recover from it , so it is now shutting down entirely .
“ Our industry has kind of played in the basement for the past 30 to 40 years , and now cybersecurity has become so prevalent that that ' s no longer good enough . In order to evolve , we need to be able to adopt these risk quantification techniques ,” said Meis .
Cyber a young industry “ When you think about us as an industry , we ' re very young – especially when you compare us to the finance industry or legal ; they ' ve been around for a couple hundred years at minimum . But we ' ve started to see that same maturation of our industry , and I think that ' s going to continue and it ' s going to require the security leaders of tomorrow to evolve .”
According to Meis , those leaders of the future must understand how the organisation operates in terms of revenue cycles and where adversaries are going to target and be able to communicate this effectively to other business leaders .
healthcareglobal . com 105