Winning strategies for getting C-suite buy-in for healthcare cybersecurity | Viewpoint

Giving a cybersecurity presentation to the C-suite can be a challenge for even the most experienced Chief Information Security Officer (CISO).

Tamra Durfee

You’re often not talking to technical people, for one thing. You might look up from your carefully crafted slides about Zero Trust or third-party risk management and see glazed eyes.

Every executive at the table likely wants something different from your report. The CEO wants to know what the impact of an incident would be. The CFO wants to know about costs. The CRO is worried about risk. Meanwhile, you have your own objectives for the report.

Healthcare organizations are increasingly under attack by cybercriminals. In 2023, the industry reported 655 breaches and the exposure of more than 116 million patient records — 108% more than were exposed in 2022.

With so many threat actors targeting the healthcare industry, cybersecurity is no longer the sole responsibility of the IT department. It’s an organizational issue, and as with all business problems, buy-in must start at the top.

Build trust before trouble occurs

You don’t want to meet with the C-suite for the first time in the wake of a data breach. Regular communication proactively builds a relationship with leaders. If an incident does occur, they’ll know and trust you already.

Educate leadership about the impact of an incident

Unless they’ve already been through a cyberattack, your leadership may not understand the magnitude of a breach’s impact. By examining the business, legal, and technical implications of a breach, you can better explain how to prepare for and prevent attacks.

Provide insight into cyber risks

Cyber risk comes in a variety of forms, from external actors to internal behaviors. By communicating with leadership, you can educate them about the risks at your organization, which will help the business address those issues.

Speak their language

As CISO, you speak to technical people all day, every day. You talk to the IT team, your security team, and vendors. Acronyms, product names, and other IT jargon are part of your vocabulary.

However, most hospital executives don’t come from a technical background. To make sure leadership engages with your presentations, translate technical jargon into business-centric language. This will relate cybersecurity to the broader business issues faced by your organization.

Find a cybersecurity champion

One of the best strategies for improving your communication with the C-suite is to build a strategic relationship with at least one member of your executive team.

Risk, compliance, and privacy officers are natural allies for the CISO. Each role is essentially concerned with risk and security. All three roles also have a longer history in the healthcare industry than the CISO and can help further cybersecurity initiatives by tying security to risk and privacy.

By creating collaborative relationships with one or more executives in these roles, you can learn the language of the C-suite and start building consensus within the leadership team.

When you don’t yet have access to the C-suite

Although cybersecurity has gained the attention of leadership in many healthcare organizations, that’s not always the case. Some CISOs simply do not have access to the executive team.

If that’s the case for you, it’s important to develop strategies that will get you in front of the C-suite — even if they have no interest in cybersecurity. This is where a strategic alliance can be beneficial. Working closely with a risk or privacy officer can help get you in front of the leadership team.

You might, for example, be included in the annual presentation by a risk or privacy officer. Ask your allies what topics are of interest to each member of the board in order to tailor your comments to each member of the leadership team.

As CISO, you have important knowledge to impart to your leadership – insights that can reduce the risk of costly data breaches and help safeguard your organization’s reputation. How you deliver that information can have a huge impact on the actions your executive team ultimately decides to take.

Tamra Durfee is a CISO at Fortified Health Security in Brentwood, Tennessee.