Security: How to Gain CEO Buy-In
Focus on Explaining the Business ImpactWhat's the best way to win a CEO's support for greater information security investments? Consultant Eric Mueller advises IT security professionals to spell out the business impact of inadequate security.
See Also: Webinar | Securing Cloud Architectures: Implementing Zero Standing Privileges
CEOs need to understand that if a healthcare organization experiences a major breach that gains media attention, it can "lose customers who decide to go to the hospital down the street," Mueller says. That kind of market share risk "gets executives' attention" and helps build support for spending more on security to prevent breaches, he stresses in an interview with Information Security Media Group's Howard Anderson.
"Make sure you explain the problem in terms that the executives understand ... that there are long-term business consequences," Mueller says.
In the interview, Mueller also:
- Stresses the need for security, compliance and IT departments to align their priorities; and
- Emphasizes the importance of encrypting mobile devices to prevent breaches.
Mueller is president of WPC Services. The Brentwood, Tenn.-based firm, a unit of Washington Publishing Co., offers healthcare technology and business process consulting and recently expanded its security practice.
Lack of Encryption
HOWARD ANDERSON: Despite all of the publicity about major health information breaches involving the loss or theft of unencrypted devices or media, many organizations have yet to encrypt all of their mobile devices and media. Why do you think that's the case, and what will it take to get more CIOs and CEOs to support investing in encryption as well as other security technologies?
ERIC MUELLER: I think right now there's a big divide when it comes to security, compliance and technology. Security and compliance [staff] are working against IT [staff] at times and stifling innovation, because they aren't communicating. They're having a really difficult time working through that; I don't know another way to put that. It's a communication barrier. So I think IT is trying to get involved in the compliance process because it's no longer just an IT security problem. Intrusion detection, PIN testing and those types of things, yes, that's one part of it of course. But now you have process. You have people. You have endpoints.
Bridging the gap between the security and compliance team and the IT team is really what's required to be that catalyst. I think that's the most important thing. Once everyone starts talking on the same page, and the technology side of organizations realizes that it's not innovation that the compliance side is trying to stop - they're just trying to reduce the risk - once everyone gets their priorities aligned, then I think that will be the right catalyst. That will be the right standpoint to move these things forward.
ANDERSON: Why isn't encryption more widespread?
MUELLER: If you look at the basis of encryption, it's simple. It's been around for a long, long time. Healthcare entities communicate today and have been communicating for many years through encrypted FTP. That's how most of the data is shared between providers and payers today. So when you add encryption into the workplace, you have a lot of different discussions. You have data that's in transit. You have data that's stored. Then you have the NIST standards. The NIST standards clearly define, "Here's how we interpret encryption." Well, when you try to operationalize that as a provider or a payer of a covered entity, it's not just as simple as encrypting everything because now you have increased storage needs - you have complexity around how the data is organized and how it's accessed. That increases cost; it increases storage capacity especially.
And then on the device side, I really don't have a good answer for that ... History tells us it's pretty clear that when there's a breach and it's because of a worker who's extracted information onto a laptop, and then it's left on a bus, it's left in a café - there's no good excuse for not encrypting those devices. That's a really quite easy thing to do ... And then there are those endpoints and making sure that my laptops and my storage - my zip drives, my thumb drives - everything that can connect to an interface of some kind is encrypted.
Gaining CEOs' Support
ANDERSON: What other advice would you offer to information security professionals who are trying to win senior executives' support for ramping up security efforts and providing adequate funding? How do you enlist the buy-in of your CEO?
MUELLER: It's important to focus on the facts. ... There's not a lot of court precedence that points to, "If you don't do this, it will cost you this." But, when you start talking about the tangibles, obviously there are fines. We know what the risk is there. But there's that aspect of a breach when you have to release information to the media and the media has to announce that you've had a patient breach, that loss of market confidence and market share is very difficult to [quantify].
A good example of this is the online shoe store, Zappos. They had a data breach, and my wife has used that site quite often. I was watching her the other day and she went to Amazon and I said, "Why didn't you go to Zappos?" And she said, "Well my data is not secure." In reality, that's probably the most secure that site and that company has ever been, but that market perception - when you lose customers who decide to go to the hospital down the street who may have not nearly as good services because of a perception issue - that's what's going to get executives' attention.
Explaining the Risk
ANDERSON: Is the fear of bad publicity from a breach enough of a motivation to get the CEO on board now?MUELLER: You have to explain that if you don't do something, what does that mean to your business? I guess it's better said to operationalize the risk, saying that it's not just as simple as a fine. It's not just as simple as a breach violation. If this happens, here's how it plays out through the system. Here's how, not in security terms, not in compliance terms, but in terms that a CFO, COO and CEO will understand - you stand to lose market share. You stand to lose a percentage of your clients, of your available patients, because of a perception issue. When reimbursements are reducing and when market share is struggling and when reimbursement models now are shifting, when you talk about that uncertainty - that is very difficult for a CEO to swallow.
So I think the answer to your question is it's making sure that you explain the problem in terms that the executives understand. ... There are long-term business consequences. And I think if it's explained that way, they get it.
Lack of Awareness
ANDERSON: Today, is there generally a lack of awareness of all that among senior executives, do you think?
MUELLER: It's fuzzy. I think many senior executives, when you talk about security, there's this big layer of security and then inside of it is magic. ... It's largely viewed as an IT problem. Security - it's making sure that my firewalls are in place and making sure that my website is not hacked. Well, really, when it comes down to it, security and compliance is also on the process side. It's about how patient data is entered. It's about ... when you transcribe notes and you leave it in the hallway and you don't securely deal with that information. Most organizations don't understand that. Again, it's making sure that the message is synched.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.