Q&A with Sutter Health SVP, Chief Integration Officer, CISO & Chief Privacy Officer Jacki Monson: The Current Approach to 3rd-Party Risk Management Must Change

It’s been said by many a CISO that they essentially function as the chief risk officer. What they are trying to say, of course, is that the job is all about understanding and communicating cyber risk. Interestingly Jacki Monson – currently Chief Integration Officer, CISO & Chief Privacy Officer at Sutter Health – once also held the uncommon title of Chief Technology Risk Officer. Ultimately Sutter chose to retire that title and track risk through other organizational-chart avenues. According to Monson, no matter what exact governance model is used, risk has to be followed, tracked, funneled and dealt with so it doesn’t fall into a black hole, leaving decision makers in the dark. In this interview with healthsystemCIO Founder & Editor-in-Chief Anthony Guerra, Monson talks about her views on risk, why she’s sensitive to the increased risk that comes with excessive change, and why the current state of third-party risk management (featuring vendor-submitted questionaries) must change.

LISTEN HERE USING THE PLAYER BELOW OR SUBSCRIBE THROUGH YOUR FAVORITE PODCASTING SERVICE. 

Bold Statements  

We actively have conversations with our board about how we’re managing the risk, what action plans we have, and then they poke holes in it and say, ‘Actually we’re worried about this, we’re worried about that.’ Then we change what we’re focused on if it’s an area where perhaps we missed something or we have additional opportunities. If they’re worried about it, we should be worried about it too.

I served as interim CIO last year at Sutter, and I was a little surprised that most of the 1,400 individuals that work in IT, nobody had been in the field to sit with clinicians. Rounding, I think, is absolutely an important thing, so I made it a part of their job requirements that they had to spend at least 10 hours a month out in the field learning that and understanding what the challenges are.

… you get this fatigue when you come to work every day and seven things out of 10 that you’re supposed to do are completely different. I think there’s a big opportunity with change management and really appreciating exactly that – what do we change, how do we change it, and then how is that impacting everything else that’s going on with the frontline staff who are dealing with all these changes and adversity as they’re taking care of patients.

Anthony: Welcome to healthsystemCIO’s interview with Jacki Monson, SVP, Chief Integration Officer, Chief Information Security Officer and Chief Privacy Officer with Sutter Health. I’m Anthony Guerra, Founder and Editor-in-Chief. Jacki, thanks for joining me.

Jacki: Thanks for having me.

Anthony: All right. Very good. Can you tell me a little bit about your organization and the roles that I mentioned you hold.

Jacki: Absolutely. Sutter Health is in Northern California, an integrated healthcare system. We have around 52,000 employees and 24 hospitals, lots of ambulatory locations, worth about $17 billion. I’m fortunate enough to hold more than just one title.

I am the Chief Privacy Officer, accountable for the entire privacy program at Sutter Health, accountable as a Chief Information Security Officer for the security program including cybersecurity, and my newest title is Chief Integration Officer which is managing all of our major mergers and acquisitions, anything that we’re integrating externally into the organization, and I’m responsible for a pipeline of around $600 million worth of project initiatives, really to save the organization money, standardize,