CISO Spotlight: Highmark Health’s Khawaja on Creating a Security-First Culture
Healthcare providers on the front lines are utilizing new approaches and technology to deliver personalized experiences that improve patient care and outcomes. For Omar Khawaja, chief information security officer at Highmark Health, this “people-first” philosophy is also central to driving transformation and security-first consciousness across one of the largest integrated health delivery and financing networks in the United States.
Khawaja recently made a guest appearance on our CyberTalk with CyberArk podcast, hosted by Cybercrime Magazine, where he reflected on navigating changes throughout the pandemic; the intersection of security, culture and measurement; and Highmark Health’s Zero Trust philosophy.
Following are some highlights from this popular episode.
Working as a team involves understanding when and how to be flexible. At the height of the COVID-19 pandemic, security organizations were forced to make significant and lasting changes.
Khawaja described how his team has adapted in the face of pandemic-driven uncertainty.
“As was the case with organizations everywhere, it started with a very significant overdose of uncertainty. We went home and told our teams to do the same, thinking it would be for a few weeks. Then we thought it would be a few months. And the, we changed the question from ‘when are we going back to normal’ to ‘let’s figure out what the new normal is.’”
He also shared important lessons he’s personally embraced along the way, including the power of communication and empathetic leadership.
“During those initial months, I felt one of the biggest things I needed to do was show up with more humility. I’m used to having the answers — or being able to find them — for my team, and for the business. But in this case, no one had answers. The only option was to show up and be transparent, explaining what we knew, what we didn’t know, what questions and problems we were working to solve, and how we were going about that.”
He continued, “When you’re going through a difficult time — and definitely during a crisis — ongoing communication is critical. I went from holding a quarterly town hall with my team members to hosting weekly sessions to engage with them more frequently. Here we are, 80-plus-weeks later, and we’re still doing them. It’s not about project updates or security or risk; it’s about our team — how we’re working together, how we can prevent burnout, how we can support and care for one another.”
Yet Highmark Health is no stranger to change. With a long history of successful mergers and acquisitions, the organization spans more than 35,000 employees covering the insurance needs of more than 6 million members today. Through this rapid growth, Highmark Health continues to execute its mission to create remarkable health experiences, freeing people to be their best. But it also opens the door to new cyber threats. Khawaja discussed the challenges — and opportunities — that come with the territory and the importance of keeping the “big picture” in mind.
“The security function exists to support the business. When the business wants to expand and deliver to the needs of our communities and customers, that’s an extremely positive thing. For our team, it’s about rethinking how we deliver security — from threat detection to privileged access management to data loss prevention — at 10X, 20X the scale and do it in 60, 70, 80 or even 90 percent less time.”
He continued, “We’re focused on using lots of automation to work smarter — stepping back to realize we’re going to have this happen hundreds of times and reimagine certain parts of the security program to be able to deliver at scale and meet the needs of the customer. And a lot of that means even closer alignment with the business.”
Bridging both healthcare and insurance, Highmark Health must continuously safeguard an ever-expanding trove of sensitive customer data — the ultimate asset. In recent years, as the organization has accelerated its move to the cloud, the team has embraced Zero Trust as a common architecture and overarching mindset as it works to protect sensitive data and assets.
“Zero Trust is part of our DNA — one of the four pillars of our security program. But it’s not about implementing technology — it’s more about operating security with Zero Trust in mind. We look to reduce the amount of access individuals have; we don’t trust everyone who attempts to connect to our systems; and we assume that users are connecting from end user devices that are already infected. Certainly, in the case of increasing ‘work from home’ programs — what we call “work from anywhere” in our world — philosophies like Zero Trust are very applicable.”
For a successful cybersecurity program to take hold, a security-first consciousness must extend to individual members of the organization The 2021 Verizon Data Breach Investigations Report found that 85% of data breaches involve a human element, but it’s not for lack of awareness. Everyone knows they shouldn’t share passwords or click suspicious links — but how well does that knowledge translate?
“It’s not enough to say everyone should take annual security training or just do phishing exercises. The problem with training is that everyone leaves thinking that it applies to others first. It’s not very actionable because it doesn’t tell us how we’re doing. We all think we’re doing well in the absence of specific feedback to tell us otherwise.”
He continued, “Everyone is already aware of the basics of cyber hygiene. But when an incident occurs, the individuals involved almost always say, ‘I should have been more careful.’ The issue is not a lack of awareness or knowledge. It’s about changing behavior, and training is just one tool to accomplish that.”
Highmark Health’s implementation of a “cyber score” program has deeply engrained security into organizational psychology. Rather than creating awareness, this measurement provides each individual employee with feedback on their own security practices. With real, actionable feedback, employees are empowered to make improvements to their individual behavior.
“(Management consultant, educator and author) Peter Drucker was right when he said, ‘what gets measured gets managed.’ If we don’t have a way of measuring human risk, it’s really challenging to effectively manage it.” He continued, “It’s all about value realization, and in this case, we’re focused on changing the culture.
“Most theories of change management tell us that the single most effective person to influence any individual in an enterprise is not the CEO — it’s their direct supervisor. So, with that understanding, I’m focused on arming every single individual manager to be able to have that conversation with the people who report to them. Because they’ve got more influence on the people who report to them than anyone else in the organization.”
The Highmark Health cyber score program has empowered managers at every level of the organization to initiate conversations about security. Khawaja also noted that when managers and employees have sufficient feedback and feel empowered regarding their security choices, real change blossoms.
“Over 10,000 people in our enterprise completed security training — not because I made them, or their boss made them, or compliance made them, but simply because they wanted to improve their cyber score. Culture changes are based on each individual changing.”
The advent of Highmark Health’s innovative cyber score program isn’t your average security training — it meets individual employees where they are and motivates them to change their patterns of behavior. If we truly want users to embrace security as a mindset and lifestyle, we must take the time to understand what makes them tick — and partner closely with business stakeholders to drive engagement and meaningful change.
Editor’s Note: Answers have been edited for length and clarity. Access the full interview here — or wherever you get your podcasts.