More on Risk Management

Do your CEO and CFO underinvest in cybersecurity? Here's why and what to do about it

Executives and board members aren't cybersecurity experts so putting it in terms they can digest is crucial -- and that takes "real-life resonance."

Beth Jones Sanborn, Managing Editor

Despite the shockwaves that rippled through healthcare after massive cyberattacks such as WannaCry and NotPetya, selling cybersecurity to system executives and other decision makers is still a regular hurdle for CIOs and CISOs.

David Finn, executive vice president for strategic innovation at CynergisTek, at least partially attributes this to a sort of disconnect. He said he keeps hearing from CEOs and CFOs that they understand the seriousness of cybersecurity and know they have to do something about it. But the bottom line, Finn said, is that they are not security experts and are not putting enough emphasis on it.

So you have to make it real to them and put the proposal in terms they can understand and be ready and able to talk about the metrics it could affect. Sometimes the leap from cybersecurity to patient care seems big, but in the end, it all boils down to patient safety.

HIMSS20 Digital

Learn on-demand, earn credit, find products and solutions. Get Started >>

Theresa Meadows, senior vice president and CIO for Cook Children's Health Care System, said she wishes it was a single conversation or a single event and then you are done, but in reality it has to be an ongoing dialogue with the board and executives. For her part, she has established frequent conversation and dialogue with other c-suiters and board members about cybersecurity.

Every month they have a conversation with the executive team about cybersecurity. You have to be relentless in your communication over and over because unless you have that buy-in at the board level and the executive level, when you really need to get something done or have a significant spend, you'll never get where you need to be if you have to always start at the beginning with them.

"They see our security officer coming and they're like 'ok here we go again.' But that's kind of what we want. Now they are engaged and they ask questions and are more informed," Meadows said. "What we are worried about today might be solved tomorrow but there is always something new. So you always have to be on top of things."

Meadows and Finn will offer more insights at HIMSS19 in a session titled "Building Business Narratives to Sell Security to the Board." It's scheduled for Wednesday, February 13, from 10:00-11:00 a.m. in room W320.

HIMSS19 Preview

An inside look at the innovation, education, technology, networking and key events at the HIMSS19 global conference in Orlando.