By Robert Booker, Chief Strategy Officer, HITRUST
HITRUST Focus on Continuous Improvement
HITRUST has been dedicated to measuring and improving security maturity with accuracy, consistency, and integrity for over 15 years. We have done this by working closely with thousands of companies, their partners, regulators and trading partners, and security assessors. Cybersecurity threats and risks to technology systems are ongoing and ever-evolving, and Version 11 of the HITRUST CSF (HITRUST CSF v11) continues our shared commitment to the security journey we all travel together.
Security is an Ecosystem
The HITRUST CSF v11 builds on our experience working with entities with diverse risks and requirements. Input from security leaders from organizations of all sizes, plus our vast research, confirms that the need to assess, measure, and communicate security maturity is as important for companies with lower risks as it is for the largest, most complex companies, and those serving the most heavily regulated organizations.
Companies and their systems are integrated in new, exciting, and creative ways to form a living ecosystem. Such integration increases both the complexity of security assurance, and opportunities to leverage, or inherit, security controls from others. Companies may rely on their cloud service providers for key security features. They may use application software that provides valuable features and insights. Perhaps they manage diverse infrastructures that come from multiple acquisitions. Regardless, security requirements exist in an ecosystem where maturity can increase with capabilities and synergies and where shared vulnerabilities can weaken the ecosystem.
Metrics Lead to Maturity
Our work with companies at all stages of their security journeys has made it clear that they need the ability to start where they are, at the appropriate level for their current state. They can increase the level of security assurance delivered and measured by their program as their experience, risk maturity, and maturity of their security programs increase. This is why we continuously improve and expand our assessment portfolio. The introduction of HITRUST CSF v11 provides a critical foundation that companies can build upon and increase the level of security assurance based on their evolving business. CSF v11 provides portability with increasing maturity to ensure that the most relevant controls remain in place.
While the organization grows in security coverage and requirements. Where a company’s security and compliance team uses a consistent framework, their important and scarce internal experts grow in experience and ability to communicate the company’s security system design, operation, and documented maturity in a consistent and reliable manner.
Imagine a situation in which a company merges with another, expands, or restructures its technology operations. During the acquisition due diligence and following any major change, the security maturity of the related organizations is a major consideration. The system created through planned integration is critical. A common framework such as CSF v11 will allow for a rapid initial assessment of the foundational cybersecurity elements of the new entities, as well as allow for a longer-term and more comprehensive assessment of the entity’s security maturity over time. And, the use of a common framework provides consistency for security and compliance experts that all involved organizations can use to clearly educate each other about expectations and control requirements.
Growth of Maturity Through Traversability
An important design consideration of CSF v11 is the ability for a company to grow its security program and reuse past work to achieve higher levels of security assurance. This is accomplished by reusing the controls assessed in prior HITRUST assessments as the foundation for higher levels of assessment. Over time, a company can progressively traverse across the assessment portfolio to achieve higher levels of assurance using common control requirements. These include controls they may inherit from other organizations, like cloud service providers. Our conversations with security leaders across multiple industries have resulted in a portfolio of three security assurance levels focused on the needs of companies at different stages in their journey, progressing as they invest in and mature their security programs:
- Essential Hygiene (e1) for lower-risk organizations, validating the most critical cybersecurity controls.
- Leading Security Practices (i1) for organizations with robust information security programs, ready to demonstrate controls that protect against current and emerging threats. Leading Security Practices certification can build on essential cybersecurity controls as organizations progress in their security journey with reduced complexity and increased efficiency.
- Expanded ability for organizations to demonstrate regulatory compliance and risk management (r2) against authoritative sources such as HIPAA and the NIST Cybersecurity Framework. This also supports expanded tailoring of controls based upon identified risk factors.
The goal is consistency as companies expand their risk management and compliance requirements with minimal rework of their security program.
Consistency Through Common Assurance
Security delivery and maturity do not begin or end with the control framework or a comprehensive set of security assurance levels. Instead, the value of a security assurance program is directly tied to the quality of the underlying assurance system, which includes how the security requirements are selected, documented, assessed, and ultimately measured. HITRUST provides four critical success factors, inherent to the portfolio, that, together, provide the highest level of Rely-ability™ available today.
Transparency requires a publicly available and widely adopted control framework with control selection, evaluation, and scoring all clearly understood. Consistency of results is assured when different assessors reach consistent outcomes and when reports can be compared. Accuracy of assurance occurs when the granularity of requirements is repeatable and when scoring is formula-based and quantifiable. And, lastly, Integrity of the approach to assurance is delivered when all validated assessments from all assessors receive a consistent quality inspection to insure objectivity and consistency of approach.
The continuing evolution of the HITRUST CSF provides a vital foundation for companies of all security levels and across their entire technology ecosystem. The ability to measure maturity using demonstrated metrics and traverse an assurance portfolio as requirements evolve, and to communicate requirements clearly, are all critical success factors in security assurance. Rely-able™ assurance is foundational to ultimately measuring and demonstrating that the program is delivering the security value required and expected.
About the Author
Robert Booker, Chief Strategy Officer, HITRUST
Robert Booker serves as the Chief Strategy Officer for HITRUST following his retirement from over 30 years as a cyber security leader and technology professional. Prior to HITRUST, Robert spent 13 years as the Chief Information Security Officer for a Fortune 10 company dedicated to the healthcare industry. Prior to his leadership in healthcare, Robert served as a cyber security leader with a multi-national telecommunications company leading and supporting information security programs and initiatives for numerous global enterprises in the pharmaceutical and consumer products sectors.
Robert’s focus throughout his healthcare tenure has been the application of security principles to clinical care, information, and technology to serve the health care environment and industry, the protection of information entrusted to the companies he has served, and the measurement of sustainable cyber security programs. Robert is passionate about continuously measuring and improving system capabilities given the evolving risk landscape and active cyber threats and has actively represented his programs to executives, directors, regulators, risk underwriters and rating agencies all focused on understanding not only the maturity of the system he has represented but the leadership philosophy and principles needed to continuously invest in a robust cyber security capability at enterprise scale.
Robert’s career has been marked by active collaboration across the companies and industries where he has served. Robert has engaged with other industry leaders and customers all focused on serving healthcare. Robert serves on the Board of Directors of HITRUST where he has been instrumental in establishing a common security framework for the health industry and in supporting the adoption of security principles by companies the health ecosystem and other industries.
Throughout his career, Robert has spoken at multiple venues on topics ranging from cyber security program principles to leadership development for cyber professionals.
Robert is a U.S. Navy veteran and an alumnus of the first FBI CISO Academy (2015 class).