Interacting consistently with business leaders has allowed Anahi Santiago, Chief Information Security Officer at healthcare provider ChristianaCare, to win a coveted seat at the table.
“When I moved to ChristianaCare, one of the first things that I did was schedule time with all of the executives,” Santiago said. “And my approach wasn’t, ‘Here’s why cybersecurity is important,’ but to ask them, ‘What’s important to you? What are your challenges? What are the outcomes that you’re looking to achieve? And then let’s have a conversation about how I can help you through cybersecurity.’ That has helped to build the trust that has given me continuous invites to the table.”
Santiago began her career running all of the large global infrastructure projects for Unisys. “All of the areas I worked in had a cybersecurity component to them, and I just gravitated toward it. I just found the topic of security to be more interesting than other IT components,” she recalled.
Although “you couldn’t put a price on the knowledge I was gaining at Unisys,” she said, she was bartending to make ends meet. A contact there told her about an information security job opening at Einstein Healthcare Network, and that was the start of almost 20 years of healthcare cybersecurity experience.
“My husband reminds me all the time, ‘Not everybody loves their job like you love your job.’ I’m lucky,” she said.
Santiago’s background is in electrical and computer engineering, and her analytical mindset and a thirst for learning have shaped her ability to succeed in the ever-changing world of cybersecurity, she said.
But she is also a business-focused executive who puts a premium on translating complex technical concepts in a way that clinicians and business leaders can understand.
“By understanding their challenges I can help them to achieve their outcomes while building the trust that’s needed to create a culture of cybersecurity where we’re designing cybersecurity into strategy as opposed to bolting it on,” she said.
When she joined Einstein, there was no security program, so it was up to her to build one and convey its importance to executives and clinicians. That required getting to know the business.
“Taking that approach of getting to know the environment before just coming in and wielding controls that could potentially kill people was really important,” Santiago said. “And I’ve sustained that approach at ChristianaCare.”
This responsibility toward the lives and well-being of patients puts healthcare cybersecurity in a realm of its own, Santiago said.
“I think a lot of people who work in healthcare, specifically in the provider space, are mission oriented. We all get up in the morning recognizing that what we do is really impactful to people’s lives, not just to the bottom line,” she said.
“I’m often asked, how do you want to be remembered? I want to be remembered by a legacy, people thinking about the impact I had on healthcare, how I helped the industry evolve and improve. I think we all have a passion and a mission, and as executives, we really have a unique opportunity to drive meaningful change.”
Mentorship is a topic close to Santiago’s heart. While many information security professionals fret about a lack of skills and talent, she has a different perspective.
“I think part of our roles as industry leaders should be to build and infuse the talent in the industry by not just looking for the tenured unicorn who has 15 years of experience and commands a ton of money,” she said. “We should be finding the people who are hungry to learn, hungry to contribute, and give them an opportunity by teaching them.
“I would rather hire somebody who doesn’t have any cybersecurity experience and give them the foundation to grow than to hire somebody I’m going to lose a year from now because the market is so competitive. So our approach to building our team is generally to look for that entry-level talent that is hungry to learn and contribute, teach them cybersecurity, elevate them through our team, grow them into senior-level roles, and then utilize them to then mentor the new generation of cybersecurity professionals.”
As an industry veteran, Santiago has seen the CISO’s role evolve from technologist to business leader, and she expects it to be elevated further, with increased influence, responsibility and posture within the organization. In many healthcare organizations, the position has merged with the role of Chief Technology Officer, she said. “And I won’t be surprised if sometime in the next decade the trend will be for information technology or other areas of the organization to report to the CISO,” she added.
The threat landscape is also evolving, with malicious actors transitioning from the guy in a basement to full-fledged companies with the ability to grow a lot faster than information security programs can just by nature of budgeting dynamics, Santiago said.
“For healthcare, the challenges will be around the fact that the four walls of the hospital are disappearing and virtual care is here to stay,” she said. “And so building architectures and capabilities where we have the same level of visibility as we do inside the four walls of the hospital is going to become critical.”
That’s going to be especially challenging at a time when healthcare budgets are getting tighter, she said.
In an era of CISO burnout, Santiago is a firm believer in work-life harmony. Years ago, she used to work 14 or 15 hours a day, but when she went to do an executive MBA, she had to cut back.
“Nobody noticed. My performance didn’t degrade, evaluations didn’t degrade, and at that point I realized, I’m not going back. I really believe in turning it off at the end of the day, and moving out to running marathons, going to dinner with my husband, and traveling,” she said.
“I’m intentional about drawing a line between work and my personal time, and I’m really protective of this. I think this is a message we need to make sure we’re delivering, and I’m certainly delivering this with my team.”