The Department for Health and Social Care (DHSC) has kicked off the recruitment process for a national chief information security officer (CISO) to sit within the Digital Policy Unit (DPU) of NHS England’s (NHSE’s) Transformation Directorate.
The Leeds-based post comes with a salary of £150,000, which is £5,000 above the national median for such a position, according to ITJobsWatch, and £30,000 higher if London is excluded.
The successful candidate will be tasked with providing “strategic leadership, direction and specialist expertise on cyber security for DHSC and the wider health and care system, which includes local NHS and adult social care organisations as well the DHSC’s arm’s-length bodies”.
They will take charge of implementing an organisational strategy, approach and processes to enable the smooth functioning of services and reduce the cyber risks faced by the NHS, which as a high-profile, nationally critical body sees high volumes of incidents daily, and has previously been on the receiving end of some of the most globally impactful cyber events ever seen, such as WannaCry.
This will include establishing a national-level strategy, standards and controls, and implementing policies and assurance regimes to protect the health and social care system’s IT assets, services and technologies. They will also serve as the DHSC’s and NHSE’s most senior cyber risk adviser, with the possibility of additional responsibilities for information governance and data policy being added to the in-tray.
Among the NCISO’s anticipated duties are the fulfilment of a three-year strategy for cyber security, including delivering a full programme business case to secure funding for it, the creation and leadership of a cyber risk function across the system.
More hands-on aspects will include reporting on cyber risk, providing system wide threat assessments with support from the National Cyber Security Centre (NCSC), establishing a more effective cyber security culture among frontline clinicians and other staffers, and acting as incident director in the event of a major cyber attack, working with the DHSC Operational Response Centre and cross-government partners including ministers, and attendance at emergency COBRA meetings if needed.
Simon Hepburn, CEO of the UK Cyber Security Council, said the threat environment businesses and organisations like the NHS face is constantly changing. “There is a huge amount of valuable data within the system, making it an attractive prospect for hackers, so it’s important that boards work with the CISO to integrate cyber security risk assessments into all of their operations. This should then directly feed into the overall organisation risk posture with a clear-eyed understanding of the strategic and operation risks posed by cyber threats,” he said.
“This individual is required to deliver a three-year strategy, demonstrating that adequately protecting any organisation, let alone the NHS, necessitates detailed and skilled preparation. For all organisations, extensive planning as well as upskilling within existing teams is beneficial in achieving transformational improvement in cyber security capability.”
Javvad Malik, lead security awareness advocate at KnowBe4, said: “A CISO role for the NHS will be no small job given the fact that the digital estate is extremely broad, which has evolved and grown in different ways over the years. Any breach or attack against NHS systems has a very real impact upon people, which adds to an already high pressure and demanding role.
“The NHS makes an attractive target to many attackers, ranging from those looking to steal patient data, to criminals motivated by money, all the way to hostile states wanting to make a statement,” he said.
“Whoever takes this role will have a great responsibility, not just to technically understand the landscape and put in place security controls, but to also build a culture of security so that the security controls designed and delivered do not impact frontline workers, and brings everyone on board,” added Malik.
Erfan Shadabi, cyber security expert at comforte AG, said the industry was in agreement that cyber was now the biggest source of risk facing any organisation, and that in such an environment, organisations are increasingly obliged to do more than just the minimum to secure the data of their users, especially as regulations such as GDPR transfer more rights to them.
“Business leaders have to consider personal data as a trusted donation, not just data acquisition. The challenge for the NHS’s future CISO is balancing data use, security and data privacy in equal measures and deciding what the best security posture for the NHS could look like,” said Shadabi.
“A CISO should always keep the business front of mind. While they may not be trained in the business, it is a skill necessary for threat modelling. After all, it is their job to highlight and communicate the risk. After that, it is up to the business whether that risk is acceptable or not.”