[BreachExchange] CISOs, CIOs on Creating a Cybersecurity Culture

[Destry Winant]

https://deloitte.wsj.com/riskandcompliance/2019/06/16/cisos-cios-on-creating-a-cybersecurity-culture/

Communicating the value of investments in cybersecurity to senior
leaders and board members can be challenging. Cyber often is perceived
as being highly technical, and some leaders view cybersecurity as an
IT issue, rather than a critical component of business strategy. While
there appears to be a shift in mindset among executives and board
directors, there remains ample room for those perspectives to evolve.

Consider that in the health care and life sciences sectors, cyber
criminals tend to see tremendous value in the patient data collected
and stored by organizations. Electronic health records, for example,
may contain a wealth of exploitable information—everything from
demographic information to work history to financial information. This
information can be worth substantially more on the black market than
bank records and other types of data.

While there is significant value in patient data―and in other types of
sensitive information, such as drug-development pipelines―there often
are fewer safeguards to protect it when compared to sensitive
information from other industries. In addition, there have been
examples of manufacturing operations, product shipment, and
third-party supply chain components being impacted by cyberattacks.
This has made health care and life sciences companies prime targets
for cyberattacks. At the same time, pressure to reduce health care and
health coverage costs could make it difficult to get leadership’s
attention when it comes to cybersecurity. Moreover, the proliferation
of connected medical devices, wearables, and data-gathering health
apps could create a bigger opening for threats.

In 2018, health care led all industries in the volume of cybersecurity
breaches—accounting for about 25% of more than 750 reported incidents,
according to a recently released report. That same year, about 15
million patient records were affected—nearly triple the number
reported one year earlier.

Executives Speak Out

So what works and what doesn’t when it comes to communicating
cybersecurity priorities? The Deloitte Center for Health Solutions
recently posed that question to chief information security officers
(CISOs), chief information officers (CIOs), and C-suite executives
from biopharma, medical device manufacturers, health plans, and health
systems.

Participants agreed that having a cyber-literate board and cyber-savvy
leaders are critically important. Beyond that, their responses
reflected seven recurring themes aimed at helping boards and senior
management make decisions to counter growing cyberthreats.

Create a dialogue to engage leadership and build trust. Participants
suggest that it falls on the cybersecurity function to provide senior
leaders and board members with information to help make cyber smart
operational and strategic decisions. In acknowledging that it may take
time for leaders to understand how cybersecurity affects specific
business functions, the CISOs emphasized the importance of focusing on
the core elements of cybersecurity with boards and executives so they
feel comfortable making decisions based on recommendations.

Use the power of storytelling. Industry observers, as well as many of
the research participants, say building a “story inventory” to help
illustrate relevant situations to board members and senior leaders is
helpful. One participant discussed preparing for board meetings by
building stories that illustrated recent cyber incidents that occurred
in the organization. Connecting specific incidents with specific
business functions can help leaders address risks and manage
processes.

Use simulations to illustrate that a “cyber everywhere” mentality is
the new norm. As health care and life sciences organizations expand
their digital footprint and store more data in the cloud, cyber risk
expands to every department, potentially affecting patients and
customers. Cyber-risk simulations can help organizations stress-test
their readiness, identify capability gaps, and determine where
additional training or preparation might be needed, say participants.
They also believe wargaming is an important strategy to create
plausible scenarios and develop collective buy-in.

‘While companies compete in the marketplace, they don’t compete on
cybersecurity. Collaboration among CISOs and their counterparts is a
significant component of many cybersecurity strategies.’

—Amry Junaideen, principal, Deloitte & Touch LLP

Explain how cyber teams collaborate with organizations inside and
outside the industry. While companies compete in the marketplace, they
don’t compete on cybersecurity. Collaboration among CISOs and their
counterparts is a significant component of many cybersecurity
strategies, and can occur through a combination of official and
informal channels, including the Health Information Sharing and
Analysis Center, public-private partnerships, consortia, meetings, and
just having other CISOs on speed dial. A few interviewed CISOs noted
they look to Silicon Valley and other creative hubs to stimulate
thinking on cybersecurity innovation.

Use metrics to quantify risk. Putting cybersecurity into financial
terms can help executives make more informed decisions. While there is
no standard way to quantify risk, interviewees agreed that a
metrics-driven approach can help connect the dots back to the mission
of the organization and specific business functions. The security team
can help leaders acknowledge that everything cannot be protected
equally. The team can also help the organization identify which data
is most critical to the enterprise, where data resides, how it is
collected and shared, and the potential impact if it is compromised.

Be prepared to answer and defend questions related to cybersecurity
investments.Company leaders often ask CISOs how much the organization
should invest in cybersecurity. But no amount of money can make risk
disappear, observed one interviewee. Although long-term costs
associated with data breaches can be difficult to quantify, brand,
reputation, patient safety, and consumer trust can all be affected.
Funding usually isn’t a problem, according to many interviewees.
Still, some company executives expressed concerns that leadership and
board members could become numb to the constant headlines about
threats, particularly in organizations where cyber incidents have
occurred, but had minimal financial implications. Some CISOs and CIOs
believe it is important that they continually explain how the threat
landscape is evolving and what the organization can do to manage the
risk.

Regularly assess talent models and their potential impact on the
organization. Attracting and retaining skilled talent was a
top-of-mind concern for many security leaders. Nurturing talent is
often part of the job for CISOs and CIOs; however, many participants
noted that traditional recruiting and retention models are failing
them. Some organizations are paying less attention to formal education
in favor of on-the-job training. One popular strategy is to recruit
people who have business and communication skills and train them on
the technical skills and knowledge. Indeed, the technical elements of
cybersecurity are sometimes easier to teach than the skills needed to
effectively communicate with leadership.

The research also indicates that the role of CISOs and CIOs has
expanded beyond the walls of the IT department, underscoring that
these security and technology leaders can often be well positioned to
help board members and senior executives understand potential threats
and respond to them appropriately.