– Dialogue and collaboration, combined with metrics and storytelling can help security leaders successfully communicate cybersecurity risks and budgetary needs to healthcare organizations’ C-suite and board room members, according to a recent Deloitte Insights report.
The researchers interviewed 18 C-level executives involved with decision-making at biopharma, health plans, medical device manufacturers, and health systems to determine both the challenges and what communication strategies are working at these organizations.
“CISOs and CIOs told us that a major goal underpinning their communication strategies is to help board members and senior leaders move to a ‘cyber everywhere’ approach: an understanding that cybersecurity goes beyond the information technology bucket and can help reduce risk across the enterprise,” the researchers wrote.
“There is also evidence that C-suite executives in many organizations lack the understanding and awareness needed to prioritize cybersecurity,” they added. “While the amount of technical expertise needed might be subjective, our interviewees said life sciences and health care organizations should strive to have a cyber-literate board and leadership to stay competitive.”
According to the report, many of the interviewees said much of their time is spent communicating with board members, such as an audit or technology committee. Their goal for the foreseeable future is to make the board more cyber-saavy.
READ MORE: CHIME: Health IT Cybersecurity Gaps Lie in Data Inventory, Patching Issues
Notably, only a few organizations felt their entire board engaged on cybersecurity issues.
To improve the board’s cyber posture, the survey helped the researcher determine the seven key strategies to effective communication:
- Dialogue to build trust and engage leadership
- Storytelling to drive home first-hand scenarios
- Drive home a “cyber-everywhere” mentality
- Describe collaboration effort, internally and with external organizations
- Present metrics to quantify risks, classify risks in terms of funds, and connect risk back to the organization
- Prepare to defend and answer questions around cybersecurity investments
- Assess and discuss future talent models and what they could mean to the organization
To start building a dialogue, security leaders need to provide board members with data that can help them make informed decisions around governance to “make optimal management decisions.” The goal should be to help board members make informed decisions, set strategic direction, and “make sure the risk gets escalated to the right level of leadership.”
“Leadership is about accountability,” the researchers wrote. “A critical early step is to ensure the board and senior leadership agree on the crown jewel data and assets that are most in need of protection… establishing a dialogue and building trust serves as a critical foundation for the other strategies.”
“A good report would provide leadership with a better understanding of the organization’s current state of cybersecurity, including threats and vulnerabilities the security team is seeing, as well as the near-term proactive steps being taken to mitigate those threats,” they added.
READ MORE: AHIMA, AMIA Call for HIPAA Upgrade to Support Patient Access
The report should also clearly outline how those threats and or vulnerabilities could impact business functions if exploited, the researchers explained. For long-term strategies, security leaders should outline objectives, investments, and any calculated returns on investment to deal with threats.
Lastly, a good report will share any progress made in achieving those objectives.
“It takes time to build a deeper understanding of the core elements and to build the credibility and trust necessary for the board and senior leaders to make decisions based on the security team’s recommendations,” the researchers wrote. “Providing transparency about an organization’s specific weaknesses can be uncomfortable, but it is necessary.”
“If leadership views the CIO, CISO, and their team as more operational and focused only on technology or information risks, the cybersecurity team could be treated as less of a strategic asset,” they added. “Regardless of how companies structure the chain-of-command, it is important to ensure the cyber function is senior enough to have line of sight and influence into strategy and operations.”
When it comes to presenting these stats to the board, the researchers explained that storytelling is much more effective than a PowerPoint. For example, a security leader can use specific security incidents from within the organization to illustrate potential or actual impact to the organization, as well as how different areas of the business could be impacted by an event.
READ MORE: HIPAA Needs Clarity Around Patient Data Sharing, AMIA, AHIMA say
“Don’t geek out with senior leaders,” one respondent told the researchers. “Save the technical language for the technology team. When you talk to the board or your CEO, speak the language of business risk.”
Cyber-everywhere refers to the ever-expanding threat landscape, caused by the business of healthcare demands, such as patient portals, apps, and vendors. As a result, the researchers noted it’s easier for security leaders to emphasize risk management as it relates to business strategy.
Another important element of note: the general consensus from the interviews was that leadership most wanted to know the specific risks the organization is facing, what’s being done about it, and does the team have the resources to make the right decisions and act quickly.
And all of the interviewees said they use maturity models in board presentations.
“A metrics-driven approach is important to clearly connect the dots back to the mission of the organization, and back to specific business functions,” the researchers wrote. “A major theme was the importance of building updates based on a few key metrics that can be tracked over time.”
“Ultimately, interviewees said their role is to help make leadership comfortable with the reality that everything cannot be protected equally,” they added “Organizations should have clear agreement and an understanding of which data is most critical to the enterprise, where it resides, how it is collected and shared, and the potential impact if it is compromised.”