View the Magazine PDF Here
ENABLING THE BUSINESS AND PROTECTING DATA
Deb Stevens is the CSO at Tufts Health Plan, a Massachusetts-based organization known nationally for offering high quality health plans. Serving all segments of the population, Tufts Health Plan’s private HMO/PPO plans received a “5” – the highest rating possible – from the National Committee for Quality Assurance (NCQA)*. Only eleven plans across the country achieved this rating. Their Medicaid plan received a 4.5 out of 5. Tufts Medicare Preferred HMO and Senior Care Options plans earned 5 out of 5 stars from the Centers for Medicare and Medicaid Services as part of its annual Star ratings for 2016**. Only twelve plans across the country achieved this rating.
Before the time of formal information security programs, Stevens worked in organizations to protect intellectual property for technology and clinical trials companies. “Early on in my career, my work was all about enabling the business and protecting brands at the same time,” she explains. While computers and any technology came very easy to Stevens, she was given opportunities to learn a variety of business verticals and technology and holds certifications in many security areas.
Stevens’ keen leadership and business skills allowed her to quickly establish a successful cybersecurity program at Tufts Health Plan. “I have a passion for protecting data as well as reducing the risk to the company brand,” she says.
Her passion enables her to work seamlessly across the business with leaders. Understanding the business strategy allows her to align the security strategy, which translates into her to receiving requested budget and resources. She comments, “I am able to get the budget I need because I approached security as enabling the business lines in addition to meeting regulatory requirements. My job is to demonstrate what we need, when we need it based on what the risk is, and how security would enable the business.”
Not only does Stevens meet with the Board members to educate them on the security posture, but she also updates them on a regular basis. “I think about my audience when presenting to the Board and I make sure that I am not supplying them with data points that don’t matter to them, something many security executives make the mistake of doing,” she explains. They are required to be aware of the security posture of the company including risk are very interested in where we are going and what is needed for the future.
THE PEOPLE-SIDE OF SECURITY
“Everyone has been talking about the shortage of security professionals, which is nothing new. I have taken the approach that we need people who have soft skills and emotional IQs, so they have strong business acumen and are technically sound,” Stevens explains. The cybersecurity program works within their security team to further develop this important set of skills. The goal is to truly understand the business they are working in, so they design solutions that ultimately enable the business. Innovation has played a major role in this program, because Stevens believes that being an innovative thinker is a key characteristic of a strong leader. This program is based on a model set up by Stanford University called “Design Thinking”.
This November, Tufts Health Plan hosted its 19th annual cybersecurity awareness day. “We can clearly see in some areas, a 50% improvement [in security awareness], which is tremendous,” Stevens says. By using creative ways to attract people, such as raffles and giveaways, many employees are able to benefit from learning about security for both their professional and personal lives. At Tufts Health Plan, awareness is not limited to one day; Stevens conducts ongoing education, whether her team is speaking at various department meetings or if employees take computer based training on the subject.
THE FUTURE IS NOW
“The future is now. CSOs need to understand the business and enable it. Thinking in a strategic fashion is absolutely required,” says Stevens. She believes an innovative mindset paired with innate problem solving capabilities in addition to managing risk are essential skills needed to be a leader.
As security leaders move further into board room conversations, CSOs must also prepare for these discussions. Stevens recommends preparing for questions about current and future resources and risk to your organization. She states that you need to align and differentiate what enables business versus regulatory compliance. Maintaining a vision and having a conversation with board members enables them to make decisions on risk, according to Stevens. Being well prepared to answer any question is a must.
Collaboration on threats now and in the future will remain constant to managing loss of data. Everything is connected. For example she purchased a vehicle this summer and received a USB drive to patch security vulnerability two months later. Who we are as people, our identities, roles and relationships to devices and other resources will become simplified.
* The National Committee for Quality Assurance (NCQA) Private Health Insurance Plan Rankings 2015-2016
** NCQA’s Medicaid Health Insurance Plan Rankings 2015-2016
Subscribe
Stay up to date with cyber security trends and more