How one COO manages cybersecurity across 30+ healthcare locations without touching a security dashboard
Jeff DeBellis has a secret. As COO of MAX Surgical Specialty Management, he's accountable for cybersecurity across more than 30 oral surgery practices in five states. Yet he spends almost zero time on security operations.
"99.9% of this is handled by our IT managed service provider," DeBellis explains. "When there are problems, we get a rundown in quarterly business updates."
Sound too good to be true? It's not. DeBellis has built what he calls "structured trust"—a framework that delivers executive accountability without operational overwhelm.
Most executives face an impossible choice: either micromanage cybersecurity (becoming a de facto security manager) or delegate completely (and lose accountability). DeBellis found a third path.
"I'm a physical therapist by education," he says. "I don't have technical security expertise. But I'm still accountable for protecting patient data, maintaining HIPAA compliance, and supporting our M&A growth strategy."
His solution? Build frameworks instead of managing processes.
DeBellis's approach rests on four simple principles:
Clear ownership to qualified teams. He partners with Protouch Solutions for IT management and Black Talon Security for cybersecurity. Each team owns specific responsibilities with defined performance expectations.
Exception-based reporting focused on business impact. DeBellis doesn't want technical details. He wants to know what matters for business operations. "I get quarterly updates on anything material. Threat volume and risk potential is monitored by Protouch and my director of operations."
Quarterly reviews integrated with standard operations. Security isn't a separate meeting. It's part of regular business reviews, making it sustainable rather than burdensome.
Immediate escalation for critical issues. When something needs executive attention, DeBellis gets it instantly. "I can text 'dude, something's wrong' and two minutes later someone's calling me."
Here's where DeBellis's framework gets interesting. He doesn't just manage vendors—he orchestrates partnerships between them.
"Black Talon and Protouch don't always agree," DeBellis admits. "But whatever debates they have always result in what's best for our organization. They work cooperatively and put personal opinions aside to reach the right conclusion operationally."
This requires emotional intelligence and relationship management. DeBellis facilitates collaboration between technical partners who might otherwise compete. The result? Better decisions and better outcomes.
DeBellis tracks three things:
Training completion rates. "We want 100% of existing employees completing training by year end. We've learned it's a really good first line of defense against liability."
Threat monitoring. Real-time dashboards show vulnerability exposure across all endpoints, but DeBellis doesn't check them daily. "It's wonderful to log in anytime and know exactly where we stand on potential risks."
Response time. When threats emerge, resolution speed matters. "The response rate and call to action to resolve problems is exceptional."
Notice what's missing? Technical details. Patch rates. Firewall configurations. DeBellis focuses on business outcomes, not IT operations.
The framework delivers what every executive wants: systems so reliable they don't need constant monitoring.
"When you have something that works, and a good relationship with an operational partner, and things are in steady state without disruptions... you don't spend time there because you don't have to," DeBellis explains. "You have a level of security. That's the whole point."
For MAX Surgical, this means:
DeBellis's approach offers practical guidance for any executive managing cybersecurity:
Build frameworks, not processes. Focus on structures that surface material issues without noise. Set clear expectations. Create escalation mechanisms that work.
Trust through structure. Select partners with demonstrated expertise. Create accountability that provides visibility without interference. Maintain access to information for strategic decisions.
Integrate, don't add. Embed cybersecurity into existing business processes rather than creating separate workflows. Make security a natural part of operations, not an additional burden.
"I do quarterly progress checks," DeBellis says. "I'm not the guy accessing the platform daily. But I get great feedback from my team."
That's the essence of the 99.9% delegation framework. Executive accountability doesn't require operational involvement. It requires the right partners, the right structures, and the right information at the right time.
The best executive oversight creates systems so reliable they don't need constant attention. When your security framework works this well, not thinking about it daily isn't negligence—it's success.