Key Takeaways
- Cybersecurity is a strategic business imperative, not just an IT issue.
- Enterprise cyber risk management (ECRM) aligns cybersecurity efforts with business goals.
- Gaining stakeholder buy-in is crucial for compliance and successful cybersecurity programs.
- Strategic business decisions about cyber risk should align with business objectives.
- Regular board engagement and education are essential for sustained cybersecurity efforts.
- Continuous alignment of ECRM strategies with business goals is key to effective risk management.
Recent major cyberattacks highlight a crucial reality for healthcare: cybersecurity is now a critical factor impacting patient care and your organization’s ability to fulfill your mission.
That’s why, in this evolving landscape, the perception of cybersecurity must shift.
Instead of viewing security from a defensive lens of roadblocks and barriers, resilient organizations must recognize it as a core function that creates value and supports business goals.
But how can your organization meet this transformation head-on? The answer lies in building a culture that embraces cyber risk management as a strategic business imperative — one that exists well beyond your IT and security teams. In modern healthcare, cyber risk management now demands the board’s and your C-suite’s full attention.
Making the Shift
This shift begins with moving beyond traditional cyber risk approaches to focus on enterprise cyber risk management (ECRM), which is directly related to enterprise risk management.
ECRM is about understanding your organization’s unique risks and opportunities. It involves developing a plan of action to address specific cyber risks, all of which align with your business goals and objectives.
ECRM is a holistic approach to help your teams identify events that may impact strategy execution while also covering a gamut of risks such as operational, legal, regulatory, and cyber.
Why the push to shift now? The healthcare industry faces heightened risk due to the sensitive nature of patient data and the critical services it provides. Given these risks, implementing enterprise cyber risk management is crucial. This involves a thorough assessment of potential threats and vulnerabilities, followed by the development of robust mitigation strategies. This comprehensive approach safeguards patient data, ensures continuity of care, and empowers your organization to more effectively fulfill its mission.
Getting started: Assess your organization’s current cybersecurity posture and identify strategic areas where cybersecurity initiatives can enhance business operations. Then, develop a comprehensive ECRM plan that aligns with your business objectives and integrates cyber risk management into your overall risk management strategy.
Accountability is Crucial
Because of competing priorities, getting buy-in across your organization is not always easy. There is a wide range of cybersecurity awareness, interest, and understanding at your board and C-suite levels. However, with the recent increases in ransomware and the cost associated with breaches, interest and engagement are increasing. Unfortunately, interest alone is not enough.
Historical examples, like the Sarbanes-Oxley Act in the early 2000s, show that accountability drives action. When organizations make the shift to ECRM and focus on accountability, resources often flow, and efforts to manage risks get more focused attention across the organization. Without accountability, all the compliance regulations and guidelines are just noise.
A recent letter from Senator Ron Wyden regarding United Health Group’s cybersecurity practices highlights this issue. It pointed out that the responsibility for cybersecurity is with the executive team and the board. And in some ways, this reality check has made CEOs and board directors realize the gravity of their roles in managing cyber risk, even in instances where regulatory agencies haven’t yet developed standards for accountability.
Even so, CISOs today recognize risk management as a governance function, and many are beginning to seek coverage under directors and officers (D&O) and errors and omissions (E&O) insurance policies. This is one of the many reasons board and executive teams must understand that cybersecurity is about business risk, not just IT risk.
Getting Key Stakeholder Buy-in
Communicating the potential business impacts of cyber risks is crucial to gaining buy-in. This means shifting technical jargon into business language that demonstrates how cyber incidents can affect the bottom line. By aligning cybersecurity with business objectives, stakeholders can see the value of investing in robust cyber risk management strategies.
Make it work for you: Facilitate regular board and executive-level briefings on cybersecurity, emphasizing its impact on business risk and the importance of governance and accountability.
Strategic Business Decisions About Cyber Risk
The most critical decision for C-suite executives and board members is determining how your organization will approach enterprise cyber risk management. This includes establishing a standard glossary of terms, identifying and analyzing unique risks, setting risk appetite and opportunity thresholds, deciding how to manage those risks (accept, avoid, mitigate, transfer, invest), and how to leverage cyber opportunities.
Each hospital or healthcare organization will have unique risks; understanding these specifics is key. These decisions are particularly crucial in healthcare due to the high stakes involved. Patient safety, data privacy, and regulatory compliance are all at risk. Executives must decide how much risk is acceptable and where to invest in cybersecurity measures to protect your organization and patients.
Make it work for you: Establish a clear, organization-wide glossary of cyber risk terms and develop a structured process for identifying, analyzing, and managing cyber risks in alignment with business goals. Here are 8 key terms to focus on.
Setting Expectations for Stakeholder Involvement
While the board’s role is to set the direction for enterprise cyber risk management, execution should be left to your management teams. The board should focus on strategic decisions, not technical details like multifactor authentication or specific controls. Appropriate teams across your organization should manage these details.
The board should focus on strategic decisions, including discussions about top risks and opportunities, advancement of your cybersecurity program, and educational events that keep your board informed.
But building engagement isn’t easy. Effectively engaging the board requires CISOs and other security executives to work together to build credibility. This means presenting cyber risks in business terms. These leaders should focus on providing your board with updates on program advancement and how you’re maturing in governance, people, processes, technology, and engagement.
Metrics and key performance indicators (KPIs) that resonate with your board can facilitate these engagements. For example, highlighting cyber incidents’ potential financial and reputational impacts can help stakeholders understand the importance of proactive cybersecurity measures. Regular updates on the progress of cybersecurity initiatives can also keep the board engaged and informed.
Make it work for you: Schedule regular, strategic discussions on cybersecurity at the board level, focusing on top risks and opportunities, and ensure board members receive ongoing education on key cybersecurity matters.
Building Board Engagement
Engaging the board is challenging. Your C-suite and board members focus on growth, customer service, and value creation, so risk management is not always a priority. And often, it confuses them. By acknowledging this reality, security leaders can help executives integrate risk management with other business priorities.
To do this:
- Form cross-functional teams that support business initiatives and avoid siloed approaches.
- Engage the board by connecting cybersecurity risks to business outcomes.
- Discuss how cyber risks affect growth, reputation, and the ability to serve patients.
- Shift the conversation from technology to business impact.
Building credibility with the board also involves discussing how risks affect growth, reputation, and customer trust.
Once the board understands risks, pivot the conversation to discuss value creation and leveraging cyber opportunities for a competitive advantage. This approach makes cybersecurity relevant to the board’s primary focus.
Here are some helpful steps to consider:
- Prepare
- Identify key risks and opportunities and translate them into business terms.
- Use data and metrics meaningful to your board.
- Educate
- Provide ongoing education about the evolving cyber threat landscape and operational impact.
- Engage
- Involve the board in regular discussions about cybersecurity strategy, ensuring they understand the business implications of cyber risks.
- Leverage
- Highlight success stories that demonstrate how cybersecurity initiatives drive business value. Progressive definitions of risk, such as those by the National Association of Corporate Directors (COSO), consider both positive and negative impacts. This broader view of risk helps identify opportunities that create business value through cybersecurity efforts.
For instance, demonstrate how cybersecurity investments can decrease the likelihood of costly data breaches to maintain patient trust. This can be a powerful motivator.
Make it work for you: Prepare and present case studies that illustrate the business impact of cybersecurity initiatives. Focus on how these initiatives enhance customer loyalty, brand trust, and revenue in similar organizations.
Quantifying Risk for Business Growth
Consider the example of Equifax, which experienced a significant breach in 2017. The new CEO and CSO implemented the MinMax Plan, which focused on minimizing risk while maximizing business value. Equifax now publishes an annual security report, creating business value by building customer trust.
Similarly, GE commercialized its disaster recovery program in the mid-1980s, turning a necessary security measure into a profitable business venture.
These examples highlight that you can effectively leverage security solutions to create business value beyond merely mitigating risks. Healthcare organizations can draw on this to quantify the potential business impact of cybersecurity initiatives. This involves conducting thorough risk assessments and using data to support investment decisions. By demonstrating a clear return on investment, you can secure the necessary resources to implement effective cyber risk management strategies.
Make it work for you: Analyze and share real-world examples within your organization to demonstrate how other companies have successfully turned cybersecurity initiatives into business growth opportunities.
Aligning ECRM Strategies with Business Goals
To align ECRM strategies with business goals, use diagnostic tools like the Business ECRM Alignment Diagnostic, developed by Clearwater Founder and Executive Chairman Bob Chaput. This tool helps assess how well your enterprise cyber risk management program supports your business objectives. It involves a series of questions to gauge alignment, providing insights into areas that need improvement.
This alignment is essential for healthcare organizations to ensure that cybersecurity efforts support the primary mission of patient care. By regularly evaluating and adjusting your ECRM program, your organization can more effectively address emerging threats and ensure your cybersecurity strategies are effective and relevant.
Contact Clearwater today for further insight on how to engage your board and executives in productive dialogue about cybersecurity, align strategies, and deploy effective cyber risk management solutions that help you achieve your mission while safeguarding patient care and business operations.
