CISOs need to unleash the power of storytelling to make cybersecurity real to boards, leadership: report

Healthcare organizations, particularly healthcare providers, are in the crosshairs of cybercriminals due to the value of healthcare data and the large attack surface represented by hospital IT systems and connected medical devices.

According to Protenus, the number of patient records impacted has nearly tripled in just one year, jumping from 5.5 million breached records in 2017 to about 15 million in 2018. One look at the headlines, including news of a major flaw in Windows legacy systems, makes it clear how real the threat is for healthcare leaders.

Despite the well-known cyberthreats, communicating these risks to senior leaders and boards can be challenging, according to Deloitte's research report based on interviews with chief information officers (CIOs), chief security information officers (CISOs) and C-suite executives from biopharma companies, medical device manufacturers, health plans and health systems.

“Cybersecurity is a top priority,” one life sciences CISO said. “But there are many top priorities.”

Based on feedback from CIOs, CISOs and other security leaders, Deloitte researchers identified seven strategies to effectively communicate the value of cybersecurity to boards and company leadership.

The goal, according to many CISOs and CIOs, is to help board members and senior leaders move to a “cyber everywhere” approach: an understanding that cybersecurity goes beyond the information technology bucket and can help reduce risk across the enterprise.

1. Create a dialogue to engage leadership and build trust

CISOs and CIOs should provide board members with information that can help them make the best decisions around governance and senior leaders with the intelligence to make optimal management decisions. Many security leaders want to elevate the dialogue to help their leaders make informed decisions and set strategic direction. More than providing a briefing on cybersecurity, they want to have a dialogue. Many CISOs and CIOs interviewed for the report said their role is to make sure the risk gets escalated to the right level of leadership. A critical early step is to ensure the board and senior leadership agree on the "crown jewels": data and assets that are most in need of protection.

RELATED: Microsoft warns flaw in Windows legacy systems 'likely to be exploited' similar to WannaCry

A good report provides leadership with a better understanding of the organization’s current state of cybersecurity, including threats and vulnerabilities the security team is seeing as well as the near-term proactive steps being taken to mitigate those threats and a clear understanding of how those threats and vulnerabilities could impact business functions. The report should also outline longer-term strategies, objectives, investments and associated returns on investment (ROI) the team has established to deal with these threats as well as progress in achieving the objectives, according to Deloitte.

2. Use the power of storytelling and narrative to make it real

CISOs might only address the entire board for a few minutes once a year, or once a quarter. Most CISOs speak to smaller board committees, such as the audit committee, more frequently. That means there is pressure to ensure their presentations are crisp and effective. Storytelling can be more powerful than a PowerPoint when addressing leadership. 

One security leader from a life sciences organization said he and his team typically prepare for board meetings by building stories around a few recent cyber incidents in the organization. The key, he said, is to describe the incident and make sure to explain the impact it had (or could have had) on the business. Connecting specific incidents with specific business functions can help organization leaders make better decisions around addressing risks and managing processes, according to the report.

3. Help board members and leadership understand a “cyber everywhere” mentality is the new norm

The threat landscape is constantly evolving, which means there is no checklist for every meeting or update. Not only are the bad actors adapting and getting smarter, but the business of healthcare demands that organizations continually expand their ecosystem. Many life sciences and healthcare organizations are enhancing mobile apps to better engage consumers, and they are partnering with retailers and nontraditional players. As their organizations move into the cloud and expand their digital footprint, senior leaders will likely have to figure out how to minimize risk. CISOs are emphasizing this point with boards and leadership: Cyberrisk management strategy should be a component of business strategy, and it can’t simply be delegated to the IT team.

Cyberrisk simulations can help improve incident preparedness across the organization. Cyber exercises immerse participants in a simulated and interactive cyberattack scenario, allowing the organization to stress-test response reflexes, identify capability gaps as well as train on and develop advanced preparedness techniques. 

4. Explain how the cyber team is collaborating with people inside and outside of the industry

CISOs and CIOs acknowledge that their organizations compete with other life sciences and healthcare companies on market share, building relationships with consumers and providers and other facets of the business. They don’t compete in cybersecurity.

A CISO from a large health plan noted in the report: “We appreciate the need for herd immunity. We do business together, so the supply chain is shared: If one of us is weak, we could all be weak.” Collaboration among CISOs and their equivalents is a big factor in many cybersecurity strategies. Collaboration can be a combination of official and more informal channels—such as the Health Information Sharing and Analysis Center, consortia, meetings or just having other CISOs on speed dial, the report said.

RELATED: Health systems get failing grade when it comes to NIST cybersecurity best practices: report

Cross-industry collaboration is another important strategy. There is a growing need for businesses and governments to collaborate to leverage learning and strengths. Some CISOs said they looked to Silicon Valley and other creative hubs to stimulate thinking on cybersecurity innovation.

5. Use metrics to quantify risks, elevate the discussion in dollar terms and connect it back to the business

Metrics are important, according to CIOs and CISOs, but leadership often is most interested in knowing: What are the risks we are facing? What is the cybersecurity team doing about it? Does the team have what it needs to make the right decisions and act quickly?

Cyberrisk should be viewed as a business decision rather than a technical one. CIOs and CISOs should quantify their cyberrisk in financial terms for leadership and empower executives to make informed decisions. Using financial modeling, companies can adopt approaches for estimating both the direct and intangible costs associated with cyberrisk.

According to the report, this kind of modeling can provide greater clarity to support investment decisions around protecting the most valuable assets.

6. Be prepared to answer and defend questions related to cybersecurity investments

It's necessary to emphasize that cybersecurity is an ongoing challenge and a moving target, and no dollar amount can make the risk disappear when talking about cybersecurity investment, according to many CISOs. There are some general benchmarks, but investment decisions vary based on the maturity of the overall program.

The subject of ROI is complicated for cybersecurity: the biggest variables—brand reputation value, a compromise in patient safety or trust and potential legal costs—are harder to quantify, the report said.

RELATED: Majority of healthcare breaches come from inside the organizations: report

It's important to effectively explain how the threat landscape is evolving, CISOs said. The metrics reported on and the context provided to leadership should strike the right balance between the threat landscape and what they can do to manage the risk.

7. Regularly assess and discuss the skilled talent needed and the potential impact on the organization

Attracting and retaining skilled talent is a top-of-mind concern for many security leaders, and it's also a priority for their boards and senior leaders. More than three-quarters of CISOs surveyed in a recent Deloitte CISO labs report said they lacked the skilled resources and effective team structure to support their priorities.

Organizations are trying different strategies to help train people to apply skills in a real-world setting. The bad actors in cyber tend to be young and typically do not have degrees, according to the report. To ensure counter-cyberattack teams have the right skills to combat the bad actors, some organizations are paying less attention to formal education—opting instead to train on the job.

Deloitte also identified a number of strategies to tackle the talent gap:

  • Explore partnerships with universities and professional organizations to enhance team skill sets. Identify leadership potential in nontechnical employees and help them become well-versed in cyberrisk.
  • Hold cyber “war games” for staff. These simulated scenarios are designed to test the readiness of an organization for specific cyber vulnerabilities and also provide employees with hands-on experience.
  • Consider nontraditional talent. Some organizations are recruiting law school graduates for short-term stints. The graduates get technical training and can move on to careers in cybersecurity insurance or cybersecurity law. 
  • Reward employees for knowing the business. To attract and retain millennials and younger generations, some organizations have found that continuous learning and growth opportunities such as providing avenues for rotation and movement within the company are critical.