Best Practices from Leading Security Executives

With our primary focus on HIPAA and HITECH compliance, it is not often that we discuss non-healthcare security breaches. However, a recent article by sheds light on significant breaches outside of healthcare and offers great advice by two global CSIO leaders that can apply to any industry.


Within a two-month period, RSA, Epsilon and Sony Corp. were all involved in major security breaches.  RSA’s SecureID product was breached, and Epsilon and Sony Corp. customer accounts were hacked.  Each of these types of incidents could easily affect any company in any industry.

In response to these high-profile incidents, Alessandro Moretti, a senior risk and security executive in financial services, and Abbas Kudrati, head of information risk and security director for the kingdom of Bahrain, shared their advice for CSIO managers who are in a position to protect their companies from such events.  Below are some excerpts from the article:


No. 1: Build Trust with Senior Management

An incident as significant as the RSA breach requires leaders to be agile and have the ability to redirect investment, projects and security controls within the shortest possible time if needed, says Moretti. This transition can only happen when IT security leaders have built trust with the business owners by establishing an open line of communication in which they discuss pervasive and forward- thinking issues on a continuous basis.


No. 2: Enhance Security Awareness

These high-profile breaches have reinforced the need for comprehensive employee training programs designed to help organizations build a more security conscious workforce.


No. 3: Manage Risk with Vendors

IT security leaders can no longer just focus on controls and contracts in dealing with vendors that provide software, applications, network and core infrastructure solutions. Leaders have to ensure that "…vendor management is built into the risk framework, so these providers know what risks they are managing for you," Moretti says.


If you have concerns about your healthcare organization’s level of security or simply want to take stock of where you are, visit  Our straightforward assessment tool helps covered entities, business associates and their subcontractors meet HIPAA-HITECH Security Rule requirements.


No comments yet.

Leave a Reply