Bryan Kissinger hopes this is the first time you’ve heard of him. Whatever the threat, whatever the response, he knows his team is succeeding if Sharp HealthCare stays out of the news.
“Our primary business at Sharp is to deliver patient care,” says Kissinger, the vice president of IT risk management and CISO at Sharp. “I need to be creative and help our clinicians and business teams deliver that care in as safe and secure a manner as possible.”
With seven hospitals across the San Diego area and a diverse workforce of eighteen thousand, Sharp requires a dynamic, layered approach to security: regulating physical access, protecting digital information, and maintaining user awareness.
Kissinger identifies phishing as the most prominent threat facing Sharp and the healthcare industry at large, calling these e-mail campaigns extremely effective at reaching office inboxes. At one point, the Sharp workforce was clicking on fraudulent links at an alarming rate, so Kissinger and his team responded on multiple fronts. They invested time in training and awareness activities; developed a custom plug-in for their e-mail service, which allowed users to alert the security team to suspected threats; and conducted a semiannual campaign of their own simulated phishing e-mails to measure the workforce’s susceptibility, which they continue to do today.
The team has implemented all this in just the past year, and Kissinger reports that they’re already seeing encouraging results. “We’ve seen the success rate of phishing e-mails decline pretty dramatically,” he says. Still, the conflict between security professionals and tech-minded malefactors is an eternally dynamic one, and threats continue to evolve. “They are becoming more sophisticated,” Kissinger says. “We’re actually taking some additional steps to sign and certify internally generated e-mails.” Because user vigilance is a key component of sound defense, he and his team of twelve continue to develop training and awareness materials in conjunction with those technical controls.
“When I’m confronted with a challenge, I have a virtual database of solutions that have been successful and, on the flip side, things that have not been successful.”
Half of this team works on IT risk management, and the other half works on security operations. A third-party provider also helps Sharp manage security operations round-the-clock.
Sharp engaged that provider just recently. After meeting with the biggest names, the company eventually chose to go with a smaller boutique firm. Kissinger says that he advocates for those boutique outfits and start-ups whenever possible. “The smaller, start-up companies have a lot of the freshest ideas and creative solutions to the threats we’re seeing today,” he explains. “Sharp is interested in and supportive of emerging technologies, innovation, and start-up companies. We’ve helped a number of companies refine their product offerings.” As a $3.5 billion nonprofit, Sharp’s size endears it to tech innovators looking for a prestige-partner opportunity. Plus, those firms often offer discounts until they establish a reputation, and that makes these deals especially attractive to the board.
Kissinger admits that this approach can introduce risk. “Obviously, the financial stability of some of these smaller, venture-capital-backed firms is not necessarily what a larger company’s would be,” he says. “But if they look stable and have good backing, I’m certainly willing to try a one-year deal with them.” A limited commitment like this mitigates Sharp’s risk.
High Seas to High Tech
After he earned a bachelor’s degree in finance from the University of Maryland, Bryan Kissinger served twelve years in the US Navy. Coming from a military family, he says he had always envisioned at least some time in the military. But spending long stretches overseas was a challenge for his family life, so he returned to civilian work. “I never envisioned getting into this line of business,” he says.“I really just kept an open mind. My first job at Arthur Andersen put me on this road of doing technology, risk, and IS operations. I’ve really just stuck with it all these years.”
The ability to weigh and communicate business-area concerns is key to Kissinger’s approach. When the technical details are beyond the grasp—or attention span—of the board and the rest of the C-suite, the business implications are critical to gathering support. “Often the CFOs—and even a lot of CIOs these days—don’t get the really deep, technical side of information security,” Kissinger explains. “I’ve seen some colleagues get into trouble while building support for their programs because they’re not able to think and communicate like businesspeople.” Given the rapid rate of threat development and technological advancement, it’s no surprise that the minute details are often beyond the rest of the team. Accordingly, Kissinger relies on his business background and encourages others to think in financial, managerial, and cultural terms. “I’m confident my business-minded style has convinced our senior business leaders, including the board of directors, that what we’re doing is a practical and right-sized approach to conducting a security program.”
After his service in the US Navy, Kissinger worked as a consultant for Arthur Andersen and PricewaterhouseCoopers, where he accumulated experience and developed the skills that enable him to excel in this role. He says his unique perspective is that of an internal consultant who is well-practiced in presenting solutions and results-oriented in execution.
“I’ve probably consulted at hundreds of companies in my twenty or so years of professional work experience,” Kissinger says. “So when I’m confronted with a challenge, I have a virtual database of solutions that have been successful and, on the flip side, things that have not been successful.” Consulting continuously challenged him to generate solutions, sell them, and deliver value. Now those decades of wide-ranging experience keep his tactics keen.
As the threats evolve, Kissinger and Sharp will continue to innovate in partnerships, tech solutions, and employee training and awareness, but the fundamental goals will remain the same. First deliver sound, secure healthcare; second, stay out of the news.