This blog was orginally posted on Healthcare Business & Technology: http://www.healthcarebusinesstech.com/help-for-healthcare-cisos-in-budgeting-for-security-products/
With the healthcare industry being such a lucrative market for stealing private information, attacks are coming more often, criminals are more sophisticated, and threats are constantly changing. And now that there’s an overwhelming number of security solutions being pitched, CISOs are often left questioning which security products will bring the best ROI for their budget.
Recently, Rishi Bhargava, our co-founder and VP of Marketing, sat down with Healthcare Business & Technology to share some tips on how healthcare CISOs can best budget their security products, secure buy-in from the executive suite, and realize positive ROI.
Security Challenges in Healthcare
CISOs in health care must justify their security expenditures in terms of the actual ROI. C-level executives expect to see hard numbers that detail exactly what they’re getting for the money spent. However, security isn’t always easily aligned to the typical metrics used to justify capital expenditures. This is because many of the benefits delivered by security products are intangible.
If a CISO wants to purchase a firewall, the justification may require threat information about the organization’s health information system vulnerability; as well as case studies of health organizations that paid the price for not fully protecting their networks. Unfortunately, those who need to approve the expenditures often struggle to convert this information into an ROI dollar amount and business case.
In addition, CISOs’ budgeting can be hampered by their lack of understanding into what each security solution delivers, whether each product is being fully utilized, and if each solution is producing its expected results. CISOs also need information on the types of attacks the organization has faced and is most likely to encounter in the future. For example, did hackers launch a persistent attack or did malware invade the network when an employee stumbled into a phishing attack?
The more information a CISO has, the easier it will be to advocate for funds correctly. Historically, healthcare CISOs have invested in compliance and reactive attack prevention, focusing less on proactively detecting and responding to threats. Unfortunately, cybercriminals have demonstrated that with persistence they can penetrate most health networks over time. Today’s preventive security products can ensure that not every attack is successful, but sophisticated criminals can still penetrate a health organization’s defenses eventually. And it takes only one successful exploit to ruin any organization’s business and reputation.
Cybersecurity is about managing risks at the most basic of definitions. Health security officials must understand the PHI and assets that require protection, the threats that place these assets at risk, and the harm to the organization that a successful attack could cause. Healthcare CISOs typically have vast amounts of data used to identify and assess risks, but how can they present this information in a way that will be easy for others to understand, considering the information may not appear directly related to the organization’s cybersecurity efforts?
One way is with security scorecards. What CISOs need is a platform that can give them visibility into all security products the hospital uses. As an example, a security automation and orchestration platform centralizes data on all of the security products. From this, security scorecards can be built for incident response functions, and can be used to help CISOs make informed budget decisions for various security products. The scorecard also organizes information to help justify expenditures and allocations for those who make the final approvals.
CISOs can use scorecards to help present information in ways that help other health executives relate to business goals. Cybersecurity in health care isn’t siloed without touching the rest of the organization. Digital risk management covers every department in the organization and cybersecurity products must contribute to helping the organization achieve its overall goals.
Impact business goals
Scorecards can demonstrate how security products impact these business goals. For example, since all healthcare organizations must protect private patient information, scorecards can illustrate how a successful breach will damage the organization’s reputation. If a business goal is to make PHI easier for remote clinics to safely access, scorecards can show how suboptimal security makes the plan unviable.
As the number of healthcare security products continues to increase, CISOs will encounter a growing list of vendors offering to solve their cybersecurity needs. CISOs must be willing to consider advanced technologies to help them keep their organizations protected against ever-evolving attacks, while continuing to rely on current security products that are still useful and effective. Since CISOs will always be held accountable for their purchases, they’re going to need every method to help them justify required expenditures.
There is no universal way to allocate a security budget since every health information system is different. Instead, each CISO must consider the threat surface, the adequacy of legacy products, and the availability of innovative security solutions to decide how to best serve the needs of their organization within budget. Security scorecards provide a useful tool for CISOs who struggle either to decide the best way to allocate funds for various products, or in presenting the data to validate the expenditures needed to keep their networks secure.
For more cutting-edge and informative security content, subscribe to email updates from Demisto.