CIOs, CISOs share advice on selling cybersecurity to the C-suite
When UC Irvine Health CIO Chuck Podesta needed a bigger security budget he walked the hospital’s chief executive through a typical data breach or loss scenario. The last bullet point: CEO apologizes to the public.
“He looked me right in the eye,” Podesta explained, “and said ‘I never want that to happen.’”
Podesta fired back: “Then it’s going to cost $5 million.”
The tactic was effective as part of a broader strategy to convince the board to fund more information security investments.
Many if not most hospitals are grappling with the same challenge of getting the resources they need to secure patient data and, according to Symantec Health Information Technology Officer David Finn, rather than caring about cybersecurity, boards and the executives are all-too-frequently detached from it.
Several CIOs, CISOs, consultants and other experts have unique and common experiences in cajoling more money from the C-suite — strategies that could work in other hospitals as well.
Start with the business basics
Ronald Ross, a fellow and computer scientist at the National Institute of Standards and Technology offered advice that infosec professionals can take to the boardroom: It’s always less expensive to invest in security than it is to clean up after data breaches and, what’s more, it’s not always possible to calculate the price of fixing things gone awry.
“When security is tacit it’s the first thing discussed in the C-suite,” Ross said. “It’s the first thing a program developer considers.”
[Read more Innovation Pulse columns]
It can also help to explain that security is basic risk management, including expenditure, insurance, regulatory compliance, all the things companies do to mitigate risk, said Lisa Gallagher, a managing director at PwC.
“The dialog between IT and executive management — they need to be speaking the same language,” Gallagher said.
CIOs and CISOs understand they are going to shoulder the burden of ensuring everyone is on the same page.
Indeed, security professionals knocking on the board room door should be aware that C-suite executives do not typically care as much about information security technology as you might.
“Stop talking about technology. I know it sounds crazy but stop talking about technology,” advised Meredith Phillips, chief information privacy and security officer at Henry Ford Health System. “Whatever your business is about, that needs to be the pitch.”
Just don’t neglect innovation. Instead, consider this: With security in place, healthcare organizations can try new apps quickly, literally conducting limited pilot deployments in minutes, instead of taking a year or more testing the app’s security before getting started.
“The biggest cost of not having security is not that you pay for data breaches, it’s that you’re not able to innovate,” said Mohit Tiwari, assistant professor of electrical and computer engineering at the University of Texas at Austin. “Innovation speed is slow and that’s the biggest problem.”
To achieve that, Tiwari recommended designing systems proactively, not chasing attack vectors, and demonstrating to the board that you are being wise enough to not spend money on attack-vector based solutions.
Sharks and glaciers
CIOs and CISOs have to get the basics right, of course, including encrypting all relevant medical devices and segmenting networks so compromises don’t take down the whole environment.
“These are basic measures,” said Texas Children’s Hospital CISO Sanjeev Sah. “All of these have to be done right. It’s no good trying to protect against an advanced threat if you don’t have a good foundation.”
Perhaps the most potent selling point: Healthcare organizations that don’t effectively manage the basics cannot win in the evolving threat landscape.
NIST’s Ross said that CIOs and CISOs should outline for the board the modern threat space and what your critical assets are because every system can be breached given enough time.
And he likened information security to the phrase “sharks and glaciers” because those are both most dangerous beneath the surface, unseen, until the strike hits and the damage is inflicted.
“Cybersecurity needs to flow up and down the organization,” Ross explained. ‘The C-suite has to understand in the core that cyber is critical to the organizations survival in the world we live in today.”