Ask The Experts: How to Reassure Your Customers About Your Security and Privacy Frameworks

Written by

Mark Nicholls, Head of Information Security, Risk & Compliance, Ramsay Health Care UK
Mark Nicholls, Head of Information Security, Risk & Compliance, Ramsay Health Care UK

Mark Nicholls, Ramsay Health Care UK

For the healthcare sector, security and privacy is a top priority. The data we hold and process is probably some the most sensitive data related to individuals. In fact, there is strict regulatory compliance we must adhere to under the UK’s Data Protection Act and GDPR, as health data is defined as special category.

Although primarily an independent healthcare provider, operating 40 hospitals and facilities throughout the UK, we do provide services to the NHS across the country and as such there are data sharing agreements in place. To allow for this, as an organization we must also meet the security and privacy standards laid out in the NHS Digital Data Security and Protection Toolkit – a yearly requirement and published to interested parties.

With this in mind it critically important that our customers are satisfied that we are doing the right thing when it comes to security and privacy in respect of their data, whether they are a private or NHS patient.

We already face an uphill struggle communicating security to our customers, as generally speaking our customers are not interested in security from practitioner point of view, i.e. if one starts a briefing or communication detailing the cryptographic algorithms or complex technical security controls we have in place they will switch off and we lose engagement.

To our customers, security should be somewhat invisible, providing a frictionless user experience.  What is important to them is getting the best healthcare services available, while we worry about the security and privacy of their data in the background.

We do this by making sure all interactions are customer focused, while maintaining the balance of security verses usability. We have done a lot of work on the patient journey to underpin our technology choices when it comes to digital transformation. Those choices have resulted in us selecting best of breed security solutions, ensuring our company, staff and patient information assets and the associated technology, applications, systems, infrastructure and processes are adequately protected.

If our choices around security technologies or how we have implemented security into a process results in a negative customer experience, then we have got it wrong!

We want to be open and transparent with our customers around what we are doing with security; as such, we are in the process of developing communications and briefings in a language that we deem “human and kind.” This means there will be no technical jargon and the language used will be positive. We will talk about patient journeys and the steps we take in the background to protect data. This will be a combination of high-quality focused security and privacy training for all our staff, implementation of best of breed technical controls and robust processes around security. We will tie this to our public promotion of compliance with standards such as ISO27001 and NHS Digital Data Security and Protection Toolkit, and what this means in jargon free language to those who interact with us.

Our goal is to ensure our approach to security and privacy is customer centric.

Mark holds overall group responsibility for security management and related governance activities, ensuring that the organisation puts appropriate safeguards in place to protect information assets and business operations. Prior to Ramsay, Mark was CISO at Chime Group, a global marketing, advertising, PR and events company.


Mark Guntrip, Senior Director, Cybersecurity Strategy, Menlo Security
Mark Guntrip, Senior Director, Cybersecurity Strategy, Menlo Security

The news has a constant stream of articles about the latest threats and attacks. It seems like every day we are learning about new data breaches and ransomware attacks. It is no secret that the bad guys are working to stay a step ahead of threat prevention solutions. So how can security vendors reassure their customers about their security solutions?

At Menlo Security, we recently conducted a survey that found email was the most cited entry point for ransomware attacks, followed by desktop browsers and mobile devices. Interestingly, evolving threats and remote workers were named as the biggest challenges in ransomware defense. Clearly, phishing is still an effective attack tool. Continuing to educate your teams about the dangers of phishing attacks and how to spot them must remain a priority. But we all know from experience that education and training are not the be all and end all solution.

Ransomware, and most other attacks, are best prevented prior to the initial intrusion. If the threat can be prevented, it means the infection chain never happens. Deploying a security solution that is focused on preventing attacks, rather than detecting and mitigating them after the fact, is the best way to show customers you have a robust security posture. Therefore, demonstrating how your solutions help address pre-attack frameworks (MITRE) as well as the expected attack frameworks (NIST, MITRE), can show a preventative approach to security.

As we see attacks increasing, companies cannot stand still. Security teams need to put a greater emphasis on business continuity and disaster recovery. They should also monitor and respond to the latest threats. Where supply chain attacks have been shown to be incredibly damaging, the risks associated with third-party connectivity and integration should be considered to manage or minimize the attack surface, for example.

As compliance regulations have started to converge with security mandates, there is now a range of certifications that an organization can use to demonstrate its security posture. Everything from ISO 27001 as a building block or organizational security through to more rigorous certifications, such as FedRAMP, and even customer security audits with external validation. Companies that have a wide range of validation with internal and external acceptance can be seen as a secure choice.

Today, users, their data and applications, are all found in the cloud. While all this work is being conducted in the cloud, it is also the one place where traditional security measures – which are still very much relied on – are not located. With web browsers constantly being updated to address vulnerabilities, and SaaS applications further expanding the attack surface, there is more distributed work – and data – to protect.

Securing modern workplaces requires modern security. Coupled with in-depth defense measures, today’s preventative security measures involve taking a Zero Trust approach to security that protects productivity where it occurs. Security is most effective when it is applied close to the user, applications and data.

Mark is responsible for articulating the future of threats to security leaders around the world. Prior to joining Menlo Security, Mark has been security strategist at Proofpoint, Symantec, Cisco and several other leading cybersecurity providers.


Zaira Pirzada, Advisor, Lionfish Tech Advisors
Zaira Pirzada, Advisor, Lionfish Tech Advisors

The alphabet soup of security compliance requirements you meet, and the security standards frameworks you certify against or attest to, can get anyone’s head spinning, especially your customers.

Ultimately, what they want to know is: “Is my data secure?”

Well, is it? From one audit to another, many security functions piece together their full security and privacy story to convince the auditors that their mix of people, practice and technology yields good security. Most pass the test, sufficing one checkbox after another year after year. This may provide a seal of approval from accredited auditors, but for the customer it is not a true, proper and detailed answer to the question “is my data secure?”

So how do we reassure customers that the sum of our efforts in security and privacy told in our evidence packs to auditors translates to their data being safe?

Here are my Top Three Recommendations:

My first recommendation is that you maintain strong policies, processes and procedures. Your privacy policy should be publicly shared with your customers and detail the following: the different types of customer data you collect; how you collect and use customer data; where you disclose customer data; and the customer’s legal rights regarding their data. It would be to your benefit to provide customers with the best email or number to reach your organization to discuss any unresolved questions.

My second recommendation is that you publicly educate your customer via a security-privacy-customer trust page housed somewhere on your website (yes, you need this). Here, briefly explain the importance of your information security management system, privacy function and customer trust. Visitors to this page should know that you exist to ensure the security and continuity of your organization and to build on the relationship of trust between your enterprise and your customer base. On that same page, list the security and privacy compliance certifications, attestations and regulations you abide by.

You should expand on each element of that list with what it is, why you abide by it and how often you are assessed by third-party accredited auditors.

My final recommendation is that you emphasize signing a non-disclosure agreement (NDA) at the initial or renewal contract stage regarding any conversation about the confidential and inner workings of your security and privacy functions. Why? So that the customers who are still not assured by the information you provided in your policies and other publicly facing material can be immediately granted the right to read through your certification and attestation reports, and even dive into your program during a security walkthrough. This is all with the security function’s assurance that any information shared will be safe during the length of the customer-provider relationship.

This method is the most time-consuming; however, it is proven to be very beneficial for those larger clients that have deep internal security teams and risk management functions working on answering their detailed, third-party supplier security questionnaires. Though this way is not scalable and should be reserved for the most adamant customers, this truly is walking the talk.

Zaira Pirzada is a multi-lingual actress, writer, as well as a security and tech advisor with Lionfish Tech Advisors. Prior to joining Lionfish Tech Advisors, she was a security analyst with Gartner, Inc., covering the data loss prevention, file analysis and data masking markets.


What’s hot on Infosecurity Magazine?