[BreachExchange] Are CISOs Building Effective Business Cases for Data Security Investment?

[Audrey McNeil]

http://www.information-management.com/blogs/security/are-cisos-building-effective-business-cases-for-data-security-investment-10028578-1.html

Feinstein Institute for Medical Research, North Memorial Health Care of
Minnesota, and St. Joseph Health System made the headlines recently with
their million dollar settlements for their data breaches. This means there
are a few more executives added to the ranks of those wishing they spent
more time, attention and resources on security.

The topic of security continues to be a major healthcare industry pressure
and is becoming a board-level agenda item. So why do security initiatives
such as laptop encryption still seem to lack adequate funding,
prioritization and support—until a breach or lawsuit occurs or HIPAA
auditors demand change?

These executives, like many more before them, weren’t convinced that
certain security efforts or initiatives were important enough to receive
funding.  Maybe they didn’t know that security requires ongoing investments
coupled with effective and consistent management and execution.

Of course, all executives have competing priorities with finite resources.
So maybe part of the problem is that those selling security to these
executives didn’t have a valid business case that demonstrated how results
could be delivered and the value it could bring.

The overall budget for security-related costs is often within decentralized
healthcare organizations and resides with a number of different clinical,
business and technology areas. Typically, the easy business case to make
for security investments comes from improving the organization’s overall
security posture.

However, CISOs will have to redesign this undemanding path toward an
approach for making business cases in terms executives can appreciate and
directly connect to the organization’s top strategy goals and objectives.
Making more effective business cases can help to gain investment dollars
and increased control for a budget not always under a CISO’s direct
management.

Security investment decisions are only as good as the business case
process. The first step in this process is to define the security
initiative well enough so that decision makers can make informed choices.
Business cases do this by helping executives understand the business value
of the security investments, and decide whether to fund them. They justify
the security investments and guide the subsequent work. In short, they
drive results, and not just promise them, because they’re used to ensure
the project and the benefits are delivered.

Each business case is a critical input to the following management
processes:

Security funding and investment appraisal and prioritization
Operational control and coordination
Benefits realization

Effective business cases avoid common shortfalls. Healthcare executives are
often asked to approve large capital investments based on flimsy business
cases that:

Aren’t aligned with corporate plans, objectives and strategies
Focus on technology rather than on the needed changes in processes and
people that will achieve the benefits
Ignore major risks or how they will be mitigated
Don’t quantify all potential benefits, who will achieve them and how they
will be measured
Have little or no involvement or ongoing commitment from stakeholders

Aren’t used to institutionalize new ways of working and the resulting
benefits
Aren’t used to guide the projects from analysis through implementation
Aren’t documented and communicated clearly and credibly

Business cases can generally be viewed only as documents for gaining
funding. Once approved, they are put away. Many healthcare organizations
track project costs against estimates. But few seriously track the business
benefits the projects actually achieve.

CISOs can help build effective business cases and leverage their use by:

Develop effective cases collaboratively

Effective business cases are developed using a business-driven, inclusive
process that avoids three common shortfalls by:

Involving all stakeholders to ensure approval and ongoing support
Focusing on how the business will achieve changes related to both processes
and people
Identifying all potential benefits and who will achieve them

Fully document and communicate

Effective business cases fully document and clearly present the information
decision makers need and avoid three other common shortfalls by:

Linking the business case to business strategies, plans and objectives
Describing the major risks and how they will be mitigated
Packaging the business case while boosting its credibility

Leverage effective business cases after approval

Effective business cases add value throughout the entire project life
cycle. They are used for:

Guiding and assessing project execution
Tracking how well process and people changes are being institutionalized,
and the realization of benefits

Organizations need to continually invest in security to successfully
minimize incidents and breaches. As a result, it’s important to choose the
right investments and to make sure they deliver.

Unfortunately, security business cases can fall short.  But CISOs can
revamp their approach and build effective business cases by avoiding common
shortfalls and focusing on results and the value that they bring. Effective
business cases significantly improve the odds of project success because
they generate stakeholder commitment and not just support, they are
credible, and they guide the work to ensure that expected benefits are
realized.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160408/ca62d1ca/attachment-0001.html>