How a unique business liaison role is helping clinicians, executives, and cybersecurity teams speak the same language.

In a recent Clearwater Cyber Briefing, CEO Steve Cagle sat down with Tracey Touma, Cleveland Clinic’s first Cybersecurity Business Liaison, to explore how healthcare organizations can align security, clinical, and business priorities. In this candid conversation, Touma discusses bridging communication gaps, balancing innovation with risk, and putting patients first — even in cybersecurity.

Q&A

Steve Cagle: Tracey, you hold a unique role as Cleveland Clinic’s Cybersecurity Business Liaison. What led to the creation of that position?

Tracey Touma: It really started during the integration of Akron General into Cleveland Clinic. We had great success rolling out a tap-and-go authentication system, while other sites were struggling. The difference wasn’t technology — it was communication.

We spent time with clinicians explaining why we were changing workflows and how these tools would actually make their jobs easier. Once people understood that cybersecurity supported better patient care, adoption skyrocketed. That experience showed us the need for a dedicated role to translate between cybersecurity and clinical operations — and that became the Cybersecurity Business Liaison.

“Clinicians just want to take care of patients. When we explain how cybersecurity helps them do that, they become our strongest allies.”

Steve Cagle: You’ve said before that innovation and automation can reduce clinician burnout but also introduce new risks. How do you balance innovation and security at Cleveland Clinic?

Tracey Touma: We’re an innovative organization — research and technology drive better outcomes. But every new tool or AI model has to be vetted for security and clinical value. Sometimes that means segmenting research environments or creating isolated sandboxes.

We don’t want to slow innovation, but we need the right guardrails. It’s about maintaining security without creating friction that hinders patient care.

Steve Cagle: You created something called the Friends of Cybersecurity program. Can you tell us how that works?

Tracey Touma: Friends of Cybersecurity is a quarterly program that brings together caregivers, informatics, pharmacy, lab, and other specialties. We share threat intelligence, key project updates, and ask for feedback.

I’d seen “champion” programs before, but they were mostly one-way communication — IT delegating tasks. We wanted something different: a true partnership. Our “friends” have a voice. They tell us when something doesn’t work, and we listen.

“We called it Friends of Cybersecurity because friends are loyal — they tell you the good, the bad, and the ugly. That honesty makes us better.”

Steve Cagle: You’ve gone as far as shadowing clinicians and even following patients through care to improve processes. What did that reveal?

Tracey Touma: It was eye-opening. I spent full days in outpatient clinics observing clinicians — no talking, just taking notes. We discovered technical issues like poor network coverage and configuration problems, but also workflow barriers we hadn’t realized existed.

In one case, clinicians were wasting time re-searching patient records every time they logged in. By reconfiguring the system so a session stayed tied to the patient’s room, we eliminated errors and saved valuable minutes per encounter.

That same mindset applies to security. We can’t design effective controls unless we understand how care is actually delivered.

“You can’t improve workflows from behind a desk. You have to see what it looks like on the front lines.”

Steve Cagle: When you brief executives and clinicians on cybersecurity, what resonates most?

Tracey Touma: Patient experience. Outages and delays don’t just disrupt operations — they erode trust. Patients expect the Cleveland Clinic to deliver world-class care, and a cyber incident threatens that trust.

So, when I talk about risk, I link it directly to patient outcomes and brand reputation. That’s what makes people pay attention.

Steve Cagle: How do you help business leaders and CISOs understand each other’s worlds better?

Tracey Touma: Education and empathy. For executives, I explain cybersecurity in business terms — like insurance. A teenager learning to drive increases your premium, but good habits and preparation can bring that cost down.

For security leaders, I recommend table-top exercises with executives. When leadership experiences the impact of losing billing or pharmacy systems firsthand, they understand the stakes. And they start thinking proactively about resilience.

Steve Cagle: You’ve emphasized measuring trust and engagement, not just security metrics. What KPIs do you look at?

Tracey Touma: Engagement is key. For example, when we moved from eight-character to twelve-character passwords, we updated more than 80,000 accounts in six months — because people understood the why.

We also track “pajama time” — how much after-hours documentation clinicians are doing. If AI or new tools reduce that, that’s a cybersecurity success story, too. The goal is to make caregivers’ lives easier while keeping systems secure.

“Success isn’t just fewer incidents. It’s when clinicians finish work on time and still feel supported by technology.”

Steve Cagle: If a CISO wanted to start a program like yours tomorrow, where should they begin?

Tracey Touma: Start with what you already have — most organizations have a Champions program. Reimagine it as a friendship program. Build trust, listen to feedback, and don’t try to prove your worth — demonstrate it through collaboration.

Involve your project managers, business relationship managers, and informatics teams. Everyone touches patient care in some way. And make sure your mission is clear.

“It takes a village to care for patients. Cybersecurity is part of that village.”

Steve Cagle: At the end of the day, how do you want caregivers and leaders to view cybersecurity?

Tracey Touma: As a partner, not a barrier. When caregivers see us shadowing them, listening to pain points, and helping solve problems, it changes the narrative.

We’re not here to slow people down — we’re here to protect patients and help them succeed. When everyone understands that, cybersecurity becomes part of the culture.

Steve Cagle: That’s a powerful message, Tracey. Thank you for sharing your perspective and for the incredible work you’re doing to strengthen both care and security.

Tracey Touma: Thank you, Steve. It’s been a pleasure.

This interview has been edited and condensed for clarity.