More healthcare organizations are hiring CISOs — a good thing. But bad management structure, insufficient resources, and poor understanding of risks often doom these newly appointed security executives.
First, the CIO’s pay is reduced — at least a full grade level lower — than it should be. Second, the CIO cannot participate in organizational strategy meetings because of rank.
Most important, the CFO and other executives run IT and cyber security strategy, instead of the CIO. IT department pay, including that of the chief information security officer (CISO), is lowered, making it challenging for the healthcare organization to acquire and retain top talent. Finally, the CIO becomes an ideal whipping boy for any failures, but other executives are well protected, even though they make the final decisions.