This Framework in Focus interview was featured in the Spring 2022 NICE eNewsletter.
Title/Organization: IT Project Manager, Augusta University Health
NICE Framework Category: Oversee & Govern
NICE Framework Work Role: IT Project Manager
Academic Degrees: Master of Science in Information Security Management, Bachelor of Science in Business Administration with a concentration in Management Information Systems (MIS)
Certification: Project Management Professional (PMP)
This issue’s interview is with Karen Ribble, IT Project Manager at Augusta University Health. Ms. Ribble shares about managing projects in the health care sector, working with cybersecurity, and the importance of transferable skills. Below is a summary of his conversation with Karen A. Wetzel, Manager of the NICE Framework.
KAREN WETZEL: Hello, my name is Karen Wetzel. I am manager of the NICE Framework at the National Initiative for Cybersecurity Education at NIST. The NICE Cybersecurity Workforce Framework, published as NIST Special Publication 800-181, establishes a taxonomy and common lexicon used to describe cybersecurity work. The NICE Framework is intended to be applied in the private, public, and academic sectors. In this edition of the NICE eNewsletter series, Framework in Focus, it is my pleasure to speak with Karen Ribble who is information technology project manager at Augusta University Health. Karen, thank you so much for letting us learn more about your career pathway, understand the NICE framework from your lens, and learn about someone who is performing cybersecurity work.
Let’s jump in. Could you start by sharing a bit more about your role and responsibilities as information technology project manager at Augusta?
KAREN RIBBLE: As IT project manager I lead a project team of health care technology stakeholders. The technology might be anything from a server upgrade to a new application to an innovative project or new medical device. In project management we need to measure the levels of risk that need to be addressed, and identify the tasks and activities needed to release the final product. It may involve procurement, performance, process improvement of workflows, evaluating the existing workflows, and looking at all the processes and functions to make sure they're secure and working appropriately for the provider or the health care worker.
KAREN WETZEL: Can you describe a little bit more about the team you lead and the types of roles they fill?
KAREN RIBBLE: For a project management team there may be a varied group of individuals that make up that team. It may include the actual end user—for instance, a physician or a nurse—as well as the technical folks who are deep into the details of the technology. It might also include a data center analyst, a systems administrator, or someone from our cybersecurity engineering group, depending on the project itself and its unique deliverables.
KAREN WETZEL: Could you share a little bit more about the cybersecurity engineering group—I’m sure our audience are going to be interested in how you engage with them. Are they a regular part of every project you work on, or how do you know when to reach out to them?
KAREN RIBBLE: In some cases we include a cybersecurity engineer on every architecture review team, and sometimes as a project manager I may be tasked to work with an architecture review team made up of more of the technical folks, and we reach out to security to point out any areas of remediation, areas of risk, and help identify adjustments we need to make to ensure the product we're implementing is secure.
I have a great example. We had a new application that impacted our radiology group we were delivering. Some new enhancements we wanted to implement required the patient to enter information, so we brought in our security analyst to review the changes and work with the vendor on identifying areas of risk. They were able to identify some needed modifications to make the product more secure, so we pivoted to implement those changes. It delayed the project a little bit, but we want to be sure we are creating a secure environment that protects patient data.
KAREN WETZEL: It's the security-by-design approach versus trying to load it in at the back end.
KAREN RIBBLE: Absolutely.
KAREN WETZEL: Do you find there are some types of cybersecurity issues that come up more often than others in your work?
KAREN RIBBLE: In health care especially, in every project we make sure there is secure login and credentialing. We are implementing an active directory in all our applications, moving toward a single unique login and password for our users. Multifactor authentication is also something we’ve been looking at, but some of our developers and software developers haven't moved to that yet. So we need to work with those vendors to see what modifications we can make to improve our security.
Just like we’ve seen in other fields, there is a lot more remote work. Whereas in the past vendors would come onsite for a go live, now they're remote. Our cybersecurity team has developed policies and procedures around that to make sure that when they access us remotely it is secure.
KAREN WETZEL: I imagine in the health care field there is a lot of complexity that other sectors may not experience—a lot of risk others might not have to account for. You've been in this role since 2020; have you always been in health care?
KAREN RIBBLE: I have always been in some sort of academic environment, either college or K-12. When I worked on setting up our cybersecurity pathways and outreach programs I got very interested in our GenCyber camps at the university and their work with Girls Go Cyber and Girls Who Code. There's not a lot of women in technology, and I've enjoyed being a mentor. Augusta University Health is a teaching medical hospital, and we had done some engagement groups internally focusing on strengthening cybersecurity, and it got me thinking about making the pivot.
So after 25 years I went back to school, I got my master's degree in information security management. I focused on health care security IT, which is what brought me into my current position. I have my certification in project management, but it helps to have that cybersecurity knowledge especially when it involves the health care IT and the health care environment.
KAREN WETZEL: One of the things that we've been looking at is how to expand the pipeline into cybersecurity. A question that often comes up is around how to enter the field in non-traditional ways—not just via degrees and certifications. Although you did take that path, at the same time it sounds like your experience in cybersecurity preceded that. What are your thoughts when it comes to these pathways and the best way to go?
KAREN RIBBLE: I don't think there's one size that fits all. While some employers may require a college degree or an academic degree, there's also a trend in encouraging staff to stay current, continually learn, and grow – including via degrees or certifications.
There are some great technical colleges offering fantastic programs, too. Augusta University has a pipeline from the tech college right into the university. For someone just starting to look into this field, every opportunity that they can take helps. One of the high school girls who was in Girls Who Code had done a couple of online programs to pique her interest and it helped her realize she wanted to go into this area. She's now in her second year at Augusta University, attending the cybersecurity program.
And you're never too old to learn something new. I've always had an interest in information systems and processing. I may not have always liked the programming aspect of it, but I've had the analytical skills to help with troubleshooting and identifying how technology can improve a process, and that’s what I’m doing today.
KAREN WETZEL: There’s not just about that one pathway. There are so many ways of coming in, including upskilling and reskilling. We talk about how there are so many kinds of qualifications that can be applied in this field, and it’s just a matter of identifying those strengths and how they can be put to use in this field. The NICE framework does a good job of showing the broad variety of cybersecurity roles. Looking at the framework, how do you see it being useful?
KAREN RIBBLE: I really like NICE’s partnership with the CyberSeek tool, which makes it easy to look at different areas of the framework and how careers map to it. It helps to show how strengths you might have in one area can be put to use in multiple ways.
KAREN WETZEL: With our latest revision the NICE Framework introduced Competency Areas. Someone who may not be a project manager as their job might still have need for some project manager expertise, and so we're looking at the Competency Areas as a way of sort of framing that—giving a way to see how expertise from one area might be overlaid onto various work roles.
KAREN RIBBLE: Right. At Augusta University the business school has added project management as part of every program, from marketing to even in the accounting arena, because it is used in so many areas. You don't necessarily have to be a PMP, but will need to lead a team or identify a schedule, milestones, and completion date.
KAREN WETZEL: It's a lot like how we see the growing recognition for the need for professional skills, like good communication.
KAREN RIBBLE: The soft skills. Those are so needed. It goes to the question of recruiting, too. Diversity of thought is so important. I deal a lot with physicians and nurses, and sometimes because I'm not a nurse or physician I can bring a new approach to them with success. The same is true in cybersecurity—the importance of bringing a different perspective.
KAREN WETZEL: Let's talk about that a little bit more. You mentioned the work that you had done with the GenCyber camps, the Girls Go Cyber, and Girls Who Code. Could you talk a little bit more about how you have worked in making sure that we are working in a place that's not only welcoming to a diverse group of people but also the value that—as you were touching on there—it brings to our work.
KAREN RIBBLE: Yeah. With Girls Who Code you're working with high school girls, but we need to expose cybersecurity and technology at an even younger age. It’s really important to provide girls with those avenues of exposure and experience. They see stereotypes on TV about girls not being in technology, or they might think, “Oh, I’m not good at math so I can’t learn cybersecurity.” I think we still have a lot of work to do to break the idea that you have to be tech savvy to go into this field. Well, you don't always have to be. You have to understand and comprehend certain things and articulate, but you don't necessarily need to be in the weeds and the details.
I also think it’s great how with the GenCyber camp we've had students come out of that loving it. They might not necessarily choose cybersecurity as a career path, but they've learned the importance of security, and they've changed their behavior. That's a plus.
KAREN WETZEL: I know those folks who do cybersecurity awareness out there are on our side here, but that's exactly it. It's understanding that every person needs to manage risk in their organization.
KAREN WETZEL: Shifting in a different direction, what are ways you keep your skills sharp and keep up with what's important now?
KAREN RIBBLE: I subscribe to several key periodicals and newsletters that are in the various fields. I stay current with the NIST publications. I login to ISACA’s SmartBrief on cybersecurity. There's one that I register for on health care that I get daily briefs. These sources often share related events on a new topic, so I always try to register for those. From a health care perspective, I like to stay current on changes in HIPAA and what other organizations are doing.
It’s important to give back to the cybersecurity community, as well. At our institution, we were active in a cybersecurity project and I've been pinging our chief information security officer saying, "We need to have a white paper out of this." We need to share what we’ve done—it might help another organization that is working to do the same. There is no need to reinvent the wheel. I’m always thinking about how we can improve or help others improve.
KAREN WETZEL: What do you enjoy most about the work that you do? What gets you up in the morning?
KAREN RIBBLE: You know, the thing that I really, really enjoy is every day is different. I love that I'm able to engage with different groups, and I'm involved in one project with about 50 people on it related to the clinical trials. I don't understand all of it, but I'm just amazed that I'll be in a room and there's all this brain power and we're implementing a tool that they can use to improve research and improve the patient experience. I think that's what's exciting.
KAREN WETZEL: It's that big picture understanding of the positive impact of technology and cybersecurity for an improved end result. My last question is, if you were able to give advice to someone considering a career in this field, maybe wants to follow your footsteps and work in project management, what would your advice be?
KAREN RIBBLE: I would suggest that they engage with the community. Just get in the door and share your interest so you can learn more. With the students I mentor, I also tell them to have an open mind. You might choose a certain area of work now, but it probably won’t be the same in 10 or 20 years. It’s more about what skills you have and how you can use those—whether you stay in the same field or if you want to pivot to another industry and take those skills with you.
KAREN WETZEL: Thank you so much, Karen, for your time today. I really appreciate it and enjoyed this conversation.
KAREN RIBBLE: This has been fun. I'm open to anyone who wants to learn more about IT project management and working in the health care arena, as well.
To listen to the full audio interview with Karen Ribble, click on the audio below:
Download a full transcript of the interview.