New Cybersecurity Standards for DSOs: Executive Accountability, Cross-Departmental Collaboration, and Risk Visualization

Foreword

When a Dental Service Organization (DSO) transitions from "chain expansion" to "multi-location operations," cybersecurity is no longer just a technical issue confined to the server room—ransomware doesn't distinguish between the IT department and the CEO's office. For most DSOs, cybersecurity has long been framed as an "IT problem"—until the moment systems are completely locked down, patients cannot be seen, and cash flow is interrupted. It's at that point management realizes: security has never been just a technical configuration issue; it's an organizational governance issue.

This issue features a dialogue with two practitioners from different positions. Gary Salman, Co-founder and CEO of Black Talon Security, has over 32 years of experience in healthcare technology and cybersecurity. He was involved in building and deploying one of the earliest cloud-based healthcare systems, and his company currently serves over 1,800 institutions globally. Shawn Manis, Chief Information Officer of Chord Specialty Dental Partners, leads the digital security architecture for this multi-specialty DSO, which spans 6 states, over 60 clinics, and more than 1,000 employees.

Their shared judgment is: when a cyberattack occurs, what often amplifies the damage is not the technical vulnerability itself, but the fact that management was never truly aligned beforehand.

Executive accountability, cross-departmental drills, GRC framework implementation, risk visualization—these terms are not unfamiliar in the security industry. But in the context of a DSO, what do they mean?

The following:

Why must cybersecurity be elevated to the level of executive accountability?

Q: Why is cybersecurity not just an IT matter, but an issue for which executives must take responsibility?

Shawn Manis: I've been in healthcare IT for over twenty years. In the early years, I also believed that as long as the technology was in place, systems were configured correctly, and tools were fully deployed, security issues could naturally be controlled. But reality has taught me many lessons.

If cybersecurity remains solely at the IT level, a true defense line cannot be established.

I've seen some DSOs where, after a security incident, the perceptions among the executive team, the board, and investors were completely different. Some viewed it as a technical vulnerability, others worried about regulatory liability, some focused only on financial loss, and others were more concerned about public relations risk.

When these discussions only begin after an incident occurs, it's very difficult for the organization to quickly align internally.

In our DSO, cybersecurity is a fixed agenda item for CEO meetings. I report on the security posture to him every two weeks. Even without major projects, he proactively asks me: "Has our score changed? Have there been any minor incidents? Are there areas that need preemptive intervention?"

This continuous attention itself sends a signal within the organization—this is not an isolated task for the IT department; it's a management responsibility.

Q: In your observations, what specific problems arise from a lack of executive involvement?

Gary Salman: We work on both prevention and participate in a lot of post-incident response work. When we're actually on-site during a security incident, we often see a phenomenon—a lack of unified understanding among leadership.

The board doesn't know what's happening, private equity investors are worried about valuation impact, the executive team doesn't know which issue to prioritize, and different departments have completely different understandings of the scope of impact. And more critically—often it's not the technical problem itself that amplifies the loss, but the lack of prior alignment among management.

When departmental expectations differ, decision delays occur. What does delay mean in a cyberattack scenario? It means the impact expands. That's why I emphasize that executive accountability is not a formality issue; it's a substantive risk control mechanism.

Q: What is the impact of executive engagement on an organization's security culture?

Shawn Manis: Employees don't truly prioritize security because of policy documents.

They observe management's attitude. If the CEO never asks about security, employees naturally assume it's not a core issue. But if executives continuously focus on security scores, budget allocation, and equipment aging, employees will realize this is an organizational priority. I work very closely with our Chief Compliance Officer. She not only focuses on paper compliance but also digital compliance—including network architecture, endpoint security, and access controls. Our head of legal has also experienced actual Data Breaches, so she proactively participates in risk discussions.

When compliance, legal, operations, and finance are all involved, security is no longer just a reminder from the IT department; it becomes an organizational consensus.

Q: How do you explain complex cybersecurity risks to the CEO or other non-technical executives?

Gary Salman: I never start with technical details. If I tell a CEO that a certain firewall port is misconfigured, or a certain endpoint patch wasn't updated on time, it's hard for them to translate that information into decisions. I prefer to talk about three things:

First, risk trends. For example, our overall risk score increased from 10 to 20. That doesn't necessarily mean "risk doubled"; it could be that newly acquired clinics aren't fully integrated yet.

Second, business impact. If systems are down for 72 hours, how much revenue would we lose? How long can cash flow sustain it? Does it affect patient scheduling?

Third, decision choices. If we don't update equipment or upgrade firewalls now, what level of risk will we bear by the end of 2026?

Executives don't need to know the configuration details of every machine, but they must understand the risk structure and the cost of decisions.

How does an organization coordinate its response when a cyberattack occurs?

Q: What state does an organization typically experience when a real attack happens?

Gary Salman: Most ransomware incidents lead to a complete lockdown.

Patients cannot be seen, revenue systems are down, HR systems are inaccessible, and order processes are interrupted. Many people think "if the data is in the cloud, it's fine," but they overlook a reality—can the computers still run normally? Is the network isolated? Must the environment be frozen during the investigation?

And investigations often take days. Compliance and regulatory requirements kick in simultaneously. If there's no prior planning, this lockdown state can cause significant business disruption.

Q: When a cyberattack actually occurs, how do you quickly align roles and responsibilities?

Shawn Manis: The reason we can maintain order during an incident is that the process is clearly documented beforehand.

Once the incident response mechanism is triggered, we immediately convene the compliance lead, legal lead, CEO, operations lead, and the IT team. The goal of the meeting is not to discuss technical details, but to quickly determine responsibility assignments. Who is responsible for communicating with the insurance company, who interfaces with the external security team, who leads the internal investigation, who handles regulatory communication—all of this is clarified at the outset.

I particularly emphasize "named responsibility." You can't say "someone will do it"; you must clearly assign it to an individual. This avoids confusion and delays. Real chaos often stems not from the technology itself, but from unclear roles.

Q: What is the value of tabletop exercises in responding to cyberattacks?

Shawn Manis: When a real attack occurs, the organization often enters a state of complete lockdown. System downtime, device isolation, and compliance investigations all directly impact business continuity.

The significance of tabletop exercises is to let management experience this impact in advance. During exercises, we discuss: What if systems are down for 48 hours? 72 hours? Can the HR department still process payroll? Can the clinical department still see patients? How long can cash flow sustain it?

If these questions aren't discussed in peacetime, they turn into blame and panic when an incident occurs. Exercises help everyone see their interdependencies and help non-technical executives understand that "cloud systems are still up" does not equal "business can run normally."

Q: How do you resolve the issue of inconsistent perceptions of cyberattack impact among departments?

Gary Salman: I often see huge differences in how different departments judge tolerable downtime. HR might think two days of downtime is not a big deal, operations starts calculating losses from day one, and the clinical department faces direct patient pressure.

The problem isn't the difference in viewpoints itself, but that these differences weren't discussed beforehand.

When a ransomware attack occurs, the entire environment usually needs to be locked down for investigation. In such a situation, if departments haven't managed expectations, they'll think IT "wasn't prepared."

The real solution is to align expectations before an incident occurs, ensuring every department understands its role and risk boundaries.

How to understand GRC and risk prioritization?

Q: What is the role of GRC (Governance, Risk, Compliance) in DSO cybersecurity management?

Gary Salman: I think many organizations hear GRC and think it's a technical concept. But in reality, it's a management concept.

Governance, simply put, is—who is responsible? Who has decision-making authority? How does security align with business objectives? Without clear ownership, security becomes "everyone is managing it, but no one is truly responsible."

Risk is about whether we truly understand where the threats lie. Every network has risks, but the question is—can we see them? Do we know which risks affect patient service, revenue, and compliance liabilities?

Compliance is the practical issue after an incident occurs. If a Data Breach happens, will it involve regulatory investigation? Will it create legal liability? These are things executives must understand.

The problem for many organizations isn't a lack of technology, but a lack of a governance framework. If security isn't aligned with business and patient service, it gets treated as an isolated IT issue.

Q: With limited budget and resources, how do you prioritize risks?

Gary Salman: The reality is, you can't address all risks. The attack surface is too large, threats change too fast. The question isn't "does risk exist?" but "which risks are prioritized?"

Shawn Manis: For me, the prioritization logic is quite straightforward. We are a Dental Service Organization (DSO); patient service is the top priority. If a network incident prevents us from seeing patients, that's the most direct and severe business impact.

Next is data and compliance risk. For example, risks related to the Health Insurance Portability and Accountability Act (HIPAA). If new compliance issues are triggered during incident handling, that can lead to greater cascading effects. After that come technical improvements like equipment updates and network architecture optimization.

I never pursue "zero risk." That's unrealistic. Cybersecurity is more like ongoing maintenance. What we can do is, before an attack occurs, minimize the scale of impact and shorten recovery time as much as possible.

Q: What does "risk visualization" mean for management decision-making?

Gary Salman: I believe this is currently the most underestimated part. Many executives aren't unwilling to invest in security budgets; it's that they simply can't see what the risk actually looks like. What they hear is "systems are fine," "IT is handling it."

I often translate risk into quantifiable metrics, like a risk score from 1 to 100. This way, the CEO can see trend changes. If the score suddenly rises, he'll ask: "What happened?" Then you can explain—for example, newly acquired clinics aren't fully integrated yet, or certain asset configurations aren't up to standard.

Executives don't need to know the details of every firewall, but they need to see trends. They need to know: "If I don't invest the budget today, what consequences will I bear?"

The phrase I hear most often after an incident is: "If we had known earlier, we would have made different decisions." The significance of risk visualization is to turn "post-incident regret" into "pre-incident decision-making."

Why is "preparation" more important than "remediation"?

Q: Why do you repeatedly emphasize the need to prepare before a cyberattack occurs?

Gary Salman: Because once an incident occurs, the organization almost immediately enters a state of chaos. System lockdown, investigation initiation, regulatory requirements, business stoppage—all problems appear simultaneously. Many organizations realize only then that departments were never aligned. The clearer the plan and the more defined the responsibilities, the more controllable the losses during the incident. The more preparation done, the better the outcome.

Shawn Manis: I often use an analogy: cybersecurity is like car maintenance. You can delay replacing parts, you can ignore routine upkeep, but the problem doesn't disappear. It only erupts when you least want it to.

If we prepare in advance—clarify processes, define responsibilities, deploy monitoring tools—then even if an incident occurs, we can recover faster.

I always remember one saying: It's not "if you will be attacked," but "when you will be attacked." The difference is, when the attack happens, whether you are prepared.

Q: If you had to summarize the most important things in DSO cybersecurity management, what would you emphasize?

Shawn Manis: For me, the most important thing isn't any single tool, but organizational-level preparation. Management must be continuously involved; security topics must be on the fixed agenda. The IT team must translate technical language into management language so executives understand the risk structure. Processes must be clearly documented; drills must be conducted regularly. Security is not a one-time project; it's an ongoing management activity.

Q: If you were to give actionable advice to other DSO managers, what would you emphasize?

Gary Salman: I would emphasize three things. First, don't assume everything "has been handled." Demand to see data, see the risk structure. Second, establish a clear incident response mechanism, not decide responsibilities ad-hoc during an incident. Third, make security a fixed agenda item for board and executive meetings.

Cyber threats change every day. Risk doesn't decrease by being ignored. The real difference is whether the organization is prepared when an incident occurs.