A subsidiary of UnitedHealth Group (UHG), based in the USA, was hit with a ransomware attack in February. As a result of the attack, sensitive health data about a substantial portion of the US population may have also been stolen.

Technology and data privacy critic US Senator Ron Wyden has just sent a letter to US regulators (the FTC and SEC), accusing the CEO, its board of directors, and its Audit and Finance Committee of failing in their duties when they appointed an experienced IT technology professional to be UHG’s Chief Information Security Officer (CISO).

Here is just some of what the senator had to say:

“One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. [..] Although [he] has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise.

Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job.

Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat [him] for UHG’s cybersecurity lapses.

Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company. [..] The Audit and Finance committee of UHG’s board, which is responsible for overseeing cybersecurity risk to the company, clearly failed to do its job.

One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise.”

So what?

While I’m not sure anyone would compare a CISO to a brain surgeon or heart surgeon, it’s a reminder that we can’t assume someone with IT experience can automatically take on a senior information security role.

Understanding “IT” does not mean you understand “IT Security”.

And understanding “IT Security” does not mean you understand “Information Security”.

Don’t believe me? Then why do most of the mandatory requirements of ISO27001 (the global standard for Information Security) have nothing to do with technology?