WITH A SEAT IN THE LEADERSHIP FORUM, CISO ENSURES SECURITY IS INVOLVED FROM THE START Community Health Network of Connecticut (CHNCT) is an Administrative Services Organization (ASO) in Connecticut. CHNCT’s job is to effectively manage member healthcare and provider participation while lowering costs for the state. Since they are governed by HIPAA compliance and other state regulations, and are also determined to reduce risk of exposure to the business, CHNCT puts a priority on information security. In fact, Bartolotta believes CHNCT is one of the few organizations in the healthcare industry where the CISO reports directly to the CEO, holds positions on the leadership team, and has a presence in the Board Room.
A CEO with the foresight to install the CISO position as a direct report is very aware of the importance of security. Bartolotta says, “Our CEO is very knowledgeable when it comes to security. Our conversations are typically about establishing an acceptable risk profile and minimizing exposures.” While the CEO partnership is important, it is Bartolotta’s participation in the senior leadership meetings that he most values. “Since I am in those senior leadership meetings, I am able to ensure that security is a consideration from the get-go of a new process, program, or project. It makes the entire process much more efficient and collaborative.”
Putting a Good Plan into Action “If you are a CISO, you must be a business person first. Learn the business inside and out. Meet with every VP and line of business manager to understand their goals and priorities. From there you should be able to create a good plan to ensure you are protecting the necessary information and systems,” said Bartolotta. Bartolotta follows a philosophy that incorporates teamwork, leading by example, collaboration and respect, among other things, to ensure the security plan is successfully implemented.
• BE A ROLE MODEL It was once a manager’s job to simply draw a line of sight from the employee to the organization’s mission, value, and success criteria. Today, that is still important to do, but you must also lead by example. As leaders, we have to show them, through our actions and interactions, how to approach security from a business perspective.
• BE RESPECTFUL It is important to respect the contributions of everyone, including our teammates in security, the greater organization, our vendors, and our partners. “When others succeed, it is easier for us to succeed.” • BE BUSINESS-FOCUSED In building the best team, Bartolotta prioritizes integrity and business acumen as much as technical skills and security certifications. How candidates fit into the team and the culture matters most of all. “I look for flexibility, business awareness, and the unique talents they can bring to our team.”
• BE OPEN AND PERSONABLE On Bartolotta’s third day at CHNCT, the security team received a request from a business unit. The security team’s existing procedure was to review the request and possibly approve, but usually deny it via email. Instead, Bartolotta requested a meeting with the business unit. Together they discussed the business challenge behind the request and Bartolotta’s team made suggestions for approaching it in a secure manner. As a result, the business unit gained a better understanding of security’s motivations and the impact their operations may have on corporate security, and also received a satisfactory solution to their issue.
• BE CALM In security, it is easy to react loudly and forcefully; it is a fast paced and intense industry with a lot of uncertainty. However, a calm manner is one of the main characteristics of a confident person. If you are a calm security person, you are well-prepared and focused on your mission, not on distractions.
• BE A CHAMPION Security does not often receive many accolades in an organization, and has limited visibility when things are going well. That is why Bartolotta believes in the importance of championing your own program. Bartolotta branded the “Office of Information Security” (OIS), complete with its own logo, when he arrived at CHNCT. This helped establish an identity for the security organization. The “OIS” holds regular training sessions, breakfast meet and greets, security events, and lunch and learns, so the larger company remains up to speed on security’s value and initiatives.
LEARNING FROM OTHERS OUTSIDE OF SECURITY Years ago, Bartolotta was working at a hospital in Connecticut when his wife went to an emergency room at another hospital. Bartolotta was so impressed with the service that his wife received and the manner of the caregivers, he commented on it to the nursing staff. “How is it possible you have made this negative event a positive experience for us?” he asked a nurse. “We hire good people,” she said. From that experience Bartolotta learned to value integrity, as much as technical skills and business acumen, in building a successful team.