Ronald Mehring, Chief Information Security Officer, Texas Health Resources, discussed security risk management in a keynote address to Argyle's CISO membership at the 2015 Chief Information Security Officer Leadership Forum in Dallas on Oct. 21. In his presentation, "Security Risk Management: How I Stopped Worrying and Love the Data," Mehring examined his journey in growing and leading a data-driven healthcare information security program.
Today, Mehring said Texas Health Resources' information security program is "risk-driven" - but it certainly did not start this way. In the past, his company's approach to information security involved a huge, monolithic security infrastructure that was ineffective, Mehring added.
"To become data driven, you have to actually tie compliance and security together."
Mehring shared insights from the challenges the company encountered in addressing evolving healthcare regulatory requirements, and the lessons learned throughout the journey. Initially, Mehring noted that their information security infrastructure actually created risk rather than minimizing it.
The elaborated on the many challenges facing the company at the time: "How am I going to address that regulatory requirement? Then what we have going on at the same time, especially in healthcare, is an enormous amount of technology and application churn," he said. "It’s getting extremely complicated and complex to manage."
To address Texas Health Resources' information security concerns, Mehring said he used a VEN diagram to outline the key issues. He pointed out every security control needed to address reliability as well as resiliency from both safety and privacy perspectives. And ultimately, Mehring said he was able to group compliance and security together to effectively minimize risk.
"To become data driven, you have to actually tie compliance and security together," Mehring noted. "You’ve got this beautiful compliance floor that you built in your organization, and where you want to go is that beautiful ceiling where you have this full protection, high reliability type of security program - and then you've got the walls that really tie them together."
So how can organizations successfully address compliance and security questions? Leadership plays an important role, Mehring said, and developing evidence-based practices based on data can help an organization achieve its information security goals.
"Be patient, it’s going to take time. To become data driven in our organization, two years, not three months, not six months, not one year, two years and I’m saying data-driven, in other words re-orientating everyone so they're actually using data to make decisions."
In addition, organizations in all industries need to examine their insurance needs, Mehring added.
"Insurance is a big thing these days. How much risk do I just throw out in insurance? What makes sense from the organizational standpoint? What makes sense? How much risk should I transfer? Every industry is different, but you will have to come up with that type of stuff and it needs to be evidence based. You can’t do that without data," Mehring pointed out.
A fragmented organization, i.e. a business that features siloed departments, is at greater risk than an organization that promotes collaboration, Mehring noted. If an organization focuses on people, processes and technology, it can reduce its information security risks.
Mehring added, "What will happen is that your data will be fragmented, it will be all over the place; you'll be missing and you won’t be able to answer those critical questions, I guarantee it. But structurally and organizationally, you have to set yourself up for this."
Mehring also stressed the need for modern organizations to empower and enable the entire workforce to be data and analytics driven. No matter what industry, employees who use data collection activities are empowered to find ways to become more productive and efficient. The organization as a whole can leverage data to bolster its efficiency and reduce its operating costs as well, he added.
Shifting gears to security, Mehring noted that an organization that educates its employees about myriad security dangers can proactively minimize risk. Giving workers a step-by-step process to deal with security issues ensures they can identify and eliminate any cyber threats they encounter.
Mehring also spent time speaking to data analysis, which has become increasingly valuable for organizations of all sizes. Mehring noted successful data analysts must use standardized processes to evaluate data, thereby enabling the organization to optimize the value of this information.
Mehring stressed the importance of an objective approach to data analysis. With an objective approach, data analysts can avoid biased plans that lead organizations to "mis-prioritize" their security initiatives.
"What will happen is that your data will be fragmented, it will be all over the place; you'll be missing and you won’t be able to answer those critical questions, I guarantee it."
Setting up a use case that empowers data analysts to better understand how an organization will respond to various security risks is also essential, as this use case enables an organization to collect actionable data it can use to bolster its security. Mehring added that this can further enable an organization to take further steps towards become a data-driven organization.
Towards the end of his presentation, Mehring paused to highlight the amount of time and patience his fellow executives need to successfully incorporate data into their operations.
"Be patient, it’s going to take time. To become data driven in our organization, two years, not three months, not six months, not one year, two years and I’m saying data-driven, in other words re-orientating everyone so they're actually using data to make decisions," Mehring said. "Very difficult, have patience take it step-by-step on how you're actually building your use cases, on how you’re moving that data out to stakeholders and visualizing it. Be very patient with it."
Ron Mehring serves as the chief information security officer / director, information security for Texas Health Resources, one of the largest faith-based, nonprofit health care delivery systems in the United States. The system's primary service area includes 16 counties in north-central Texas, home to more than 6.2 million people.
At Texas health Resources, Ron leads IT GRC, security architecture, security operations, and the IT BC DR program. His current initiatives are focused on improving team performance, improving resiliency management, integrating a threat-management architecture that accounts for present and emerging threats, and maturing a technology risk management program that is aligned with the strategic goals of the organization.
Ron began his career in technology for the United States Marine Corps. After 21 years of military service, Ron retired from the Marine Corps and joined the Department of Veteran Affairs where he led Compliance Assessment teams within the newly formed Oversight & Compliance group. He also served as the Department of Veterans Affairs, Deputy Director for Network & Security Operations.
Ron holds an MBA in Risk Management from NYIT and is a Certified Information Systems Security Professional (CISSP).