The Virginia Department of Behavioral Health and Developmental Services (DBHDS) exists to create ‘a life of possibilities for all Virginians’ and transform behavioural health. Its focus is on supporting people across the entire commonwealth to get the help and support they need in order to take wellness and recovery into their own hands. In an area like healthcare, sensitive information is all over the place, meaning cybersecurity is a priority – and this is where Glendon Schmitz, CISO at DBHDS, comes in.
Finding maturity in cybersecurity
Cybersecurity at the organisation wasn’t always in the increasingly mature state it’s in now, of course. Schmitz joined DBHDS in late February 2020, and on interviewing for the role, he asked his boss what the maturity level of the business was security-wise. “I wanted to know what I was getting into,” Schmitz explains. “He said, ‘on a scale of one-to-five – five being the best – we’re at zero’. I thought that wasn’t possible, but when I came on board, I found very quickly that security was an afterthought the majority of the time.”
Schmitz’s first step was to sit down with the CIO – who started with DBHDS just a couple of months before him and with whom he has a fantastic relationship – and set out a plan of what they wanted and needed to achieve. They set a three-year strategic plan in place, including developing the cybersecurity awareness training and making sure it both works and is enjoyable.
“This has been so important because it’s building that bridge between the business and security,” Schmitz says. “The security team exists to help the wider organisation achieve its objectives. We’re there to protect the business, not the other way around.”
A positive culture
Schmitz began his role with DBHDS right on the cusp of the COVID-19 pandemic causing devastation across the world. As with most organisations, this created challenges for DBHDS. The cybersecurity team had its work cut out to make sure data was safe while people were working from their home networks, but what came out of this shift has been a truly positive culture change.
“I asked the team how they successfully adapted to remote working,” says Schmitz. “The big responses I got were about time management, work-life balance, and one-on-one check-ins that create a safe space to discuss life and ideas. I think that’s crucial. I’ve never had to manage a remote team before so I did a lot of my own research, and found a lot of books that focused on treating people as human beings and not a resource.
“I went to my team and made sure they knew that as long as they completed their tasks, how and why they achieved that was fully up to them. We’re knowledge-based workers and I can’t manage them by looking over their shoulders, forcing them to type away on keyboards for eight hours a day. They need a positive culture with the freedom to use their creativity to solve problems, and often that creativity comes when they’re not sitting at their desks. I said to them, ‘How you get things done is up to you – use all your imagination to figure out how we can fix problems’. I’ve had great success with that.”