Building a Culture of Security Through Communication
Written by Linda Luty
Chief Information Security Officer
Children's Mercy Hospital
TJ Mann’s journey to be the first CISO at Children’s Mercy Hospital was not a traditional one. His family immigrated to the United States 16 years ago, and his pursuit of a graduate degree while working full time to support himself set him up for a fulfilling career in cybersecurity.
Mann found a passion for cybersecurity early in life and has relentlessly pursued this career path, leading him to Children’s Mercy Hospital, where he is growing a robust program and helping the business understand the importance of mitigating cyber risk and establishing a culture of security.
The career path Mann took to get to Children’s Mercy included “helping multiple financial services and retail clients build their information security programs, consult and advise on improving and maturing their information security programs, and also building some new capabilities around security operation centers, cyber fusion centers, incident response plans and playbooks, cyber risk management programs,” he says.
This varied experience from previous roles led him to his current position, where he built a team from the ground up and is using his experience to instill a culture of security and mitigating risk through gaining buy-in from executive stakeholders.
“The job and the role itself was very intriguing because it really is something to stand up a brand new cybersecurity program from the ground up for an organization focused on improving well-being and providing care for all children. I found that this is an amazing opportunity to come in and make an impact by building the entire team and the program,” says Mann.
Building Blocks for Success
To understand how this program was successfully built, we need to understand the power of relationships and executive communication and the importance of the CISO understanding the business.
“Cybersecurity is not a task, it's a risk. It's not any one team, business unit or group's responsibility – it's the entire organization's responsibility. Because when cyber breaches do occur – and it's not a matter of if, it's a matter of when – the entire organization is impacted. Business operations are impacted, there is a financial cost, and then there is reputational risk to the organization,” says Mann.
In order to help the business understand the risks, Mann first needed to understand the business. “One of the first things that I did when I joined, and I would advise any CISO to do this, is to really understand the business. How do they make money? What are the things that are important to the business? Because at the end of the day, security is a cost center from an accounting standpoint. We don't generate revenue, we protect the business and we reduce risk,” Mann explains.
Understanding the business objectives helps Mann establish a cyber program that aligns with those priorities, furthering the mission of his team and the business. By creating and communicating a vulnerability gap analysis mapped to the business processes and building relationships across the organization, Mann has successfully gained buy-in, and the business better understands the “why” behind having a comprehensive cybersecurity program.
“The executive team understands this work impacts the entire organization. The way I did that, and the way I'd recommend, is to start with your organizational strategies and goals. What are your business goals today and what are your business strategies today?” says Mann.
“CISOs need to have a business mindset as well to help the non-technical people understand what is the value of this to the entire organization. So, simply put, it requires translating those business goals to cybersecurity goals.”
(Not) Lost in Translation
After Mann grasped the business objectives, identified vulnerabilities and mapped his initiatives back to the business goals, he began communicating these things to stakeholders. CISOs are familiar with board presentations, but sometimes communicating cybersecurity objectives can be difficult to translate to a non-technical audience. For this, Mann uses a simple graphic that clearly translates his goals to the overarching business strategy.
Once the business buys in and understands the importance of a cybersecurity program in advancing business goals, mitigating risk, and protecting the reputation of the business, the next step is measuring success.
Quantifying Risk, Measuring Success
Developing metrics based on key risk indicators is no easy feat, but it is imperative that the board and other financial decision-makers see a dollar amount tied to a particular risk. While it can be hard to quantify reputational damage done to your organization due to a breach, monetizing risk is key in getting buy-in and creating awareness about the threat landscape.
For example, quantifying the price of a medical record sold on the dark web and multiplying it by the records they have in their system is a way to communicate the risk to their records in an easily understandable way.
“These kinds of indicators help the executives and the board to understand how we are managing risk within our organization. The board is the ultimate authority on our risk tolerance levels, and it's a fiduciary duty to manage risk to the organization,” explains Mann. “It’s important to have good key risk indicators that can show management and executive teams how well we are managing those risks. Otherwise it's not going to connect with them, because they need to know what the funding or resources we ask for is doing for them.”
“It's a CISO’s job to change that perception, that cybersecurity is a business unit. Even though we don't bring revenue, we protect the business and reduce risk to the organization, and we can be partners with other business units,” says Mann.
It All Starts with a Solid Foundation
“Cybersecurity is not one team's job. It's everyone's job,” says Mann.
But he does have a stellar team that is helping shape the culture of security at Children’s Mercy Hospital. Mann’s approach to leading his team started from the ground up. Being the first CISO and building a team from scratch took work; Mann personally reviewed more than 300 resumes to build and grow his team. “When I first started, we had three full time employees and three contractors on the team handling cybersecurity for the entire hospital and the entire organization,” says Mann.
To get started, Mann developed a plan to mature their security program with a three-to-five-year plan. Doing this involved understanding what the right size of team was for the organization given the size of the business and risk landscape. Determining the proper size of his team by using industry expertise and research helped him gain credibility when asking for the headcount needed to build the team.
“By determining the right-size team for this kind of organization, with this many employees, and this much annual revenue was important. That gave a good understanding and also helped the executives buy in, because they could see that this isn't just a made-up number,” says Mann.
“I was able to structure the team in terms of the different capabilities we need to build or mature, and then built an organizational structure. I created three different direct tracks led by three directors, and then there is a manager level and analysts and engineer level layers underneath that,” Mann explains.
And leading this team, watching them develop has been a great experience for Mann. Focusing on servant leadership and empowering his team to do what they think will best support the business has led to great success.
“If you can do four things as a leader, then you can build a strong leadership team. And those things are: inspire, empower, listen and appreciate. My mindset going into this was not just hiring people, but hiring quality people, people who have good skills and who would be a good fit in our organizational culture to drive this program forward,” says Mann.
“It is important to me to make sure whoever we are hiring is a good fit with the team and with the organizational culture, this helps advance the program. You can teach the technical skills to people, because I truly believe we hire smart people, so they can tell us what to do, not that we can tell them what to do,” he explains.
Leading this exceptional team invigorates Mann, and his passion for developing a team of true business leaders and partners is apparent when he speaks to his leadership philosophy.
“You can't give any thoughtful or impactful input unless you're listening; it is so important to be compassionate and empathetic, especially in the current world we're living in. In the last year, so much has happened personally with so many of my team members. Genuine empathy goes a long way because when you consider them as part of your family, then you're genuinely concerned about their well-being,” he says.
Mann’s focus on development helps make the team better and the organization more secure. By investing in his team, supporting them through personal challenges and tuning in to what they aspire to, he is better able to meet the needs of the team and business.
“They bring all these experiences and skills if you truly empower them, if you listen to them, and if you appreciate them for all the good that they do. And your job as a CISO, as a leader, is to inspire them to do even better.”
Special thanks to TJ Mann and Children's Mercy Hospital.
by CISOs, for CISOs
Join the conversation with peers in your local CISO community.
PODCAST | MAY 4, 2021
PODCAST | MAY 4, 2021
The Next Big Question, Episode 15
CIO Guy Mason of Bourne Leisure joins the podcast to share what private equity can teach us about technology value. Mason discusses his approach to evaluating technology in the M&A process and how businesses can remove complexity to increase the speed of change.
PODCAST | APRIL 6, 2021
PODCAST | APRIL 6, 2021
The Next Big Question, Episode 14
In this episode, we ask CIO Rob Zelinka of Jack Henry & Associates why change management is so hard for large organizations. We discuss change fatigue and the unrelenting pace of change, and Rob shares how communication and transparency can help business leaders crack the change management code.
PEER PRACTICES | MARCH 30, 2021
PEER PRACTICES | MARCH 30, 2021
Building Diverse Cybersecurity Teams With Intention & Authenticity
Security leader Amy Bogac of CF Industries discusses how daunting it can be to not have role models for women in cybersecurity. She shares three strategies for building diverse teams and helping women advance in security careers.