Can you ever have enough budget, people, and time to get it all done?
For most security leaders, the answer is no. And now, as attackers turn their attention to healthcare, those same security leaders -- already under pressure -- need to find another gear.
Does that mean a decrease in healthcare spending with an heightened awareness of security is a good thing?
Not so fast.
The PWC Health Research Institute just released their annual “Medical Cost Trend, Behind the Numbers 2016” with a projection that “downward slope of the cost trend will continue.” It also cites cybersecurity as a key component of their predictions.
And that’s the challenge for security leaders. It cites security as one of two major inflators, likely to drive the costs back up. From the report:
Cyber security—large-scale security breaches add a new layer of expense to the health business, as companies move quickly to secure and protect the vast amount of personal health data they possess. The sophistication of attacks means health providers need to spend money on both prevention and, if a breech [sic] occurs, remediation.
At first blush, this might seem like good news. After all, the rise of healthcare breaches means more attention, and that often leads to more budget. The report even suggests the need to spend more on security.
What’s the problem?
Security is now officially called out as a prime reason for cost increases.
How security leaders can navigate this finding successfully
Understanding the risk of increased focus on security coupled with using it as justification for rising costs puts pressure on security leaders to:
- Focus on creating value: instead of reacting, prioritize the assets and efforts that create the most value for the organization; avoid false choices of security versus anything to partner with others to make it easier for people to do their jobs and protect information
- Demonstrate a positive return on budget increases: go beyond just ‘working to prevent breaches;’ this means measuring, demonstrating, and communicating value to the business that they can see, understand, and agree with
- Build rapport and strengthen communication now: the increased interest in security presents the opportunity to build relationships and improve communication in an effort to translate the complexity of security into understanding; leaders engage, share, and listen
Step One: “anticipate breach”
The prevailing focus to security remains on preventing a breach. While laudable, the reality is that breaches happen. And they can happen to you. Typically this is what I called ‘assume breach.” Based on some recent twitter conversations, I’m testing out “anticipate breach.”
The concept is simple: anticipate that despite your best approach to preventative measures, a breach is likely to happen. What sort of detective and responsive/corrective controls and processes are in place?
It matters now -- especially for healthcare security leaders -- because the hyperfocus on security breaches is typically stipulated with the demand to “do something” to “prevent a breach.”
That means any increase in security budget is likely to carry the expectation that it automatically prevents a breach. In most cases, this expectation is unspoken. Either way, this is your leadership opportunity. Assure your colleagues that the prudent protections are in place (assuming they are).
Then ask, “What happens in the event of a breach?”
Explain that you are equally focused on detecting problems quickly and responding appropriately. In order to do that well, you need to understand the priorities of the organization, the focus of the executive team, and the needs of the board.
Why we need to work together
The confusion over security creates great cover for companies. Recent examples include Amy Pascal of Sony and the CEO of Target. While both left after a breach, the deeper stories suggest the lapse in security played more as a storyline than a reason.
Now industry reports citing good news come with a footnote that security is going to drive costs up. The attention to security is a short window with high expectations. It’s time to step up and earn the recognition as leaders, and not just ‘security resources with teams.’
While the focus today is on security leaders in healthcare, the more we work together to challenge conventions and improve how we protect information, the better for everyone.