Editor’s notice: This text attracts on insights from an Aug. 12 CIO Dive and Cybersecurity Dive reside digital occasion. You possibly can watch the sessions on-demand.
Tech executives and cyber leaders could view the enterprise IT property by means of totally different lenses, however the two capabilities share a give attention to enterprise safety. Whereas CIOs search to drive digital transformation by modernizing the tech stack, CISOs are inherently leery of applied sciences that would weaken a company’s defenses.
“We love our metrics, and we give all these digits and dials that nobody else understands,” James Bowie, CISO at Tampa Basic Hospital, stated throughout a CIO Dive panel earlier this month. “It may possibly look dangerous, however it’s important to sit there and clarify, ‘Nicely, it is okay that now we have this many alerts, simply since you’re watching extra issues’ and spending a whole lot of time diverting sources and vitality … to explaining why the numbers look the way in which they do.”
As a substitute of utilizing metrics to overwhelm the hospital’s management staff or — worse but — obfuscate cyber issues, Bowie teamed up with Tampa Basic CIO Scott Arnold to quantify know-how danger in phrases that hit house with C-suite executives.
When enterprise operations conflict with safety imperatives amid a push towards innovation, companies danger opening the “gateways to cyber hell,” Arnold stated, in the course of the panel. “On the finish of the day, the danger that we take as a administration choice, we make that collectively. As we report out to the board of administrators, and I put Jim on the market in entrance of the board of administrators, he can quantify that in phrases that everyone understands.”
CIOs and CISOs grapple with cyber dangers and the results of even a minor safety lapse throughout sectors and industries. In healthcare, the stakes are significantly excessive.
The sector suffered the largest monetary hit from safety breaches for the 14th consecutive yr in 2024, in line with IBM’s annual Cost of a Data Breach report, revealed final month. The common value of an incident in healthcare was $7.42 million, in comparison with $4.44 million for all organizations globally. Healthcare breaches additionally took 279 days to establish and include, which was greater than 5 weeks longer than the worldwide common, IBM discovered.
The numbers matter, when correctly framed.
“One of the simplest ways to handle safety danger is to quantify it and clarify the ramifications in order that it’s not simply the CIO and CISO who’re making the ultimate calls,” Bowie stated. “Everyone in enterprise and enterprise operations … understands monetary impacts.”
To drive house the potential prices, Bowie introduced analytics to bear on IT and course of selections, utilizing knowledge to place a quantity on the dangers posed by every addition to the hospital’s tech stack.
“The method that he and his staff put in place, frankly, has been transformational with not solely our C-suite, but in addition our board of administrators. It places the kind of danger for sure issues right into a perspective that everybody understands,” stated Arnold.
The menace panorama
Healthcare faces most of the identical cyber issues as different sectors. Weaknesses in legacy techniques coupled with vendor-related vulnerabilities and an absence of safety consciousness create clusters of ache factors for CIOs and their CISO colleagues.
“Now we have a large internet of legacy techniques,” Bowie stated. “Now we have a bunch of apparatus that may’t be upgraded as a result of they must undergo a whole certification course of with the FDA.”
At a analysis hospital like Tampa Basic, knowledge safety additionally has an added layer of complexity.
“It isn’t totally different from every other business that has to safe its company [intellectual property] … however what does make us slightly totally different is usually now we have to be slightly liberal on the analysis aspect of issues,” Arnold stated. “Typically you do not essentially have custody or a line of sight into the custody of knowledge — it is an additional wrinkle that now we have to cope with.”
Whereas malicious insider assaults resulted within the costliest breaches amongst preliminary menace vectors final yr, third-party vendor and provide chain points ranked second, in line with IBM’s evaluation.
The one main disagreement a couple of security-related buy at Tampa Basic Bowie recalled was over a vendor choice.
“It was a vendor that was legitimately below ransomware assault on the time,” stated Bowie. “I used to be like: ‘This isn’t the time to signal a contract with that vendor … let’s maintain off on that.’”
The incident highlighted the proactive position a CISO can play when given the chance.
“You possibly can carry down an enterprise with the fallacious know-how stack from a third-party vendor, particularly in healthcare,” Bowie stated. “In case you get in entrance of it, and also you’re a part of the contract course of … you may put your IT safety controls or your requirements within the contract language that they must abide by, and then you definitely get rid of a whole lot of that third social gathering danger.”
To verify Bowie’s perspective resonates, Arnold makes certain he has an viewers with the hospital’s management staff each a number of months, the executives stated.
“It isn’t a subordinate relationship,” Arnold stated. “We may be arrange that approach on paper and, imagine me, I will take the hit if one thing dangerous occurs … however actually, it is a partnership.”
The shut CIO-CISO partnership propelled progress for the medical middle, in line with Arnold.
“We have been capable of develop our group nearly 300% during the last six years, which is billions of {dollars},” Arnold stated. “ You simply have to search out any individual you may talk with, you might be versatile with, and that you’ve got a character match with.”
