Evolving Heroes: How the Role of Healthcare CISOs is Changing

The perception of Chief Information Security Officers (CISOs) in healthcare has shifted dramatically over the past few years. What was once seen as a rigid, policy-focused role—“the Department of No,” as some would say—has evolved into a dynamic, strategic position at the intersection of security, technology, and business innovation.

I had the privilege of sitting down with Drex DeFord, former CIO and current thought leader at This Week Health, on a recent episode of We Have Trust Issues to discuss this evolution. Drex's experience spans decades in the healthcare landscape, from serving as CIO for major institutions like Scripps Health and Seattle Children’s Hospital to his current work with healthcare executives across the nation. What was clear from our conversation is that modern CISOs are stepping far beyond their traditional responsibilities and into exciting but complex new roles.

From “The Department of No” to the Enabler of Innovation

Once upon a time, CISOs were seen as bureaucratic gatekeepers, responsible for writing policies, enforcing rules, and building firewalls to keep cyber threats at bay. Fast forward to today, and now CISOs are increasingly called upon to be business enablers, proactively driving innovation while managing risk. 

As Drex explained, “CISOs aren’t just trying to keep the bad guys out anymore. They’re keeping the business alive, ensuring resilience, and enabling their organizations to recover quickly when bad things happen.”

This is particularly true in healthcare, where the pandemic accelerated digital transformation and demanded unprecedented agility in responding to rapidly changing needs. Security leaders found themselves knee-deep in projects like enabling remote clinical workflows, telehealth readiness, and securing massive migrations to cloud-based platforms.

Bridging Silos: Bringing Security and Technology Together

One of the most striking trends Drex and I discussed is the hybridization of roles like CISO, Chief Technology Officer (CTO), and even Chief Information Officer (CIO) in healthcare. Many health systems are consolidating these roles to reduce friction and align security with overarching technology goals. The result? CISOs are increasingly stepping into merged leadership titles, like Chief Information Security and Technology Officer (CISTO).

This shift is partly a response to friction that used to exist between security and IT teams. “In some cases, the simplest way to resolve the tension was to put both responsibilities under one leader,” Drex mentioned. But more than that, these evolving roles equip organizations with leaders who inherently understand security’s critical role in supporting business objectives.

The modern CISO has also developed a deeper understanding of clinical workflows, business operations, and organizational priorities. "CISOs are learning to step out of their silos," Drex noted, "collaborating with stakeholders in clinical care, research, and operations to ensure security isn’t a limitation but a partner to progress."

The Balancing Act: Prioritizing Budgets, Innovation, and Resilience

As the role of the CISO gains complexity, so too do the challenges they face. Healthcare organizations are under immense financial pressure, meaning that CISOs are juggling cost optimization, digital transformation, and security risk management all at once. With the threat landscape constantly changing, Drex observed, cybersecurity is no longer just about “keeping the bad guys out” but ensuring business continuity and safeguarding patient care—even under attack.

“Innovation, modernization, application rationalization, AI, and digital transformation are now all part of the CISO’s remit,” Drex said. “They’re at the executive table, shaping strategies that touch every part of the organization—from clinical workflows to supply chain security.”

CISOs, now more than ever, must balance their role as protectors with their emerging function as enablers of innovation. This requires saying “yes, but” instead of a hard “no”—helping their peers understand that creativity and agility are possible within the guardrails of a secure framework.

The Path Forward: Advice for Aspiring CISOs

The evolving demands of the CISO role provide a unique opportunity for leadership growth. As Drex put it, many CISOs are equipped with everything they need to ascend beyond their current positions—whether it’s into the CIO role, a Chief Operating Officer role, or even to CEO someday. His advice for those looking to make the leap is simple but profound:

• Think Bigger: Don’t limit yourself to being “just a CISO.” Modern CISOs have deep expertise in technology, security, and operations, which makes them natural candidates for leadership roles. Embrace this unique perspective.
• Learn the Business: Understand clinical workflows, operations, tech stacks, and even how your organization gets paid. Work on speaking the language of all departments—from orthopedics to billing.
• Be a Problem Solver: Saying “no” can create division, but saying “yes, but” means offering solutions while outlining requirements and resourcing challenges. Break the “Ivory Tower” stereotype and show the value security can bring.

Step Outside Your Comfort Zone: Volunteer for projects outside the security space. Whether it’s filling a temporary role or working on a cross-department initiative, these experiences build trust and open doors.

Building Trust in the Age of AI

Another prominent theme in our discussion was trust—or, more specifically, the growing “trust recession” in today’s digital world. Rapid advancements in AI and deepfake technology have made synthetic media commonplace, muddying the waters of what can be trusted online.

“Generative AI, voice deepfakes, and manipulated media can all be used for good—but they can also be used for malicious purposes,” Drex said. With groundbreaking tools emerging every day, healthcare security leaders must grapple with new priorities, including protecting against AI-powered threats, vetting vendors’ AI capabilities, and identifying safe use cases for large language models (LLMs).

Healthcare organizations need to stay ahead by creating sandboxes where innovation can flourish safely, bringing AI capabilities in-house where necessary, and ensuring that sensitive data is handled responsibly. As Drex succinctly put it, “We want to enable innovation and creativity, but we have to do it in a way that protects the organization.”

The Power of Shared Knowledge

One of the most compelling takeaways from my conversation with Drex was his insight on the collaborative nature of the healthcare industry. Unlike other sectors, where competitors rarely converse, healthcare is unique in its willingness to share resources, strategies, and even lessons learned from mistakes.

As Drex explained, “Nobody wants to win because another hospital is taken down by a ransomware attack. Healthcare is a team sport. The more we share knowledge, the better prepared we all are to protect patients and deliver care.”

Building a strong network with peers, mentors, and leaders from outside your own organization isn’t just valuable—it's essential. Whether through industry events, summits, or conversations over dinner, these connections provide the guidance, support, and perspective CISOs need to continually grow as executives.

Listen to the full conversation at HealthcareNOW Radio https://www.healthcarenowradio.com/programs/we-have-trust-issues/