Cyberattacks are now a daily threat for healthcare organizations, and healthcare data breach costs have increased to an average of $9.23 million per incident, according to IBM Security’s Cost of a Data Breach Report 2021. So it’s no wonder that everyone from the cybersecurity team to administrative assistants to nurses and physicians are aware of the impact of cybercrime on a healthcare organization. You can bet that the board of directors at your healthcare organization also has a heightened awareness of cybersecurity. But how do you effectively present cybersecurity to the board?
The board of directors focuses primarily on the business of patient healthcare. Often, it’s up to the chief information security officer (CISO) and chief information officer (CIO) to connect the dots between the business of healthcare and the risk of cyber threat. To do so, you must have strong communication skills. You need to prepare your presentation to the board, communicate effectively during the meeting, and build a relationship with the board members.
Prepare your presentation to the board
Preparation is key, so identify your objectives and implement a plan. Do you need to secure additional budget and resources? Are there specific threats in the cyber landscape that require a change in policy or process? Has a cyber event occurred that demands the board’s attention? Whatever your goal, clearly state it and gather all the information the board needs to understand the issues. You’ll want to describe, using carefully chosen metrics, the current cyber risks your healthcare organization faces and quantify those risks by category and in financial terms.
Keep your presentation short, maybe 15 to 30 minutes, but long enough to fully explain what the board needs to know. As you’re preparing, remember that the board will want specifics, whether you’re asking for additional resources or explaining a recent threat, so arrive at the meeting armed with ample details — costs, timelines, return on investment, and any other pertinent information — to win support for your objectives.
Communicate cyber risks effectively
A proactive discussion with the board can help the members fully comprehend the cyber threats to your healthcare organization. But you need to speak their language rather than using cyber jargon, so be sure to frame your discussion in a business context. You should address your performance in preventing, detecting, and remediating cyber risk. You can reinforce that the price of a cyberattack or data breach is far greater than the cost of cybersecurity to protect against threats. As you know, a cyberattack can cause exposure of sensitive patient data, risk to patient safety, noncompliance issues, operational downtime, reputational damage, and more. Use numbers and dollar amounts where possible to make your case. Also, you can discuss your use of audits, penetration testing, business continuity exercises, and other actions that your team is taking to address cyber threats.
Build a relationship
Developing a strong partnership with the board of directors is vital for any CISO or CIO. The board members must trust that you are knowledgeable and understand how cybersecurity affects the business objectives, revenues, and operations of the healthcare organization. To create an ongoing atmosphere of collaboration, you should consider opportunities to interact with board members, such as arranging an event where the board can meet your team or offering an invitation for them to observe or participate in a cybersecurity exercise.
“The CISO-board relationship is one of the most critical dynamics in business today,” according to Security Intelligence. “The organization’s future depends on it.”
Interested in learning more?
With cyberattacks and data breaches on the increase, healthcare CISOs and CIOs must effectively communicate to keep the board up to speed on cyber risks.
For more in-depth, practical guidance on how to effectively present cybersecurity to the board of directors, read our whitepaper 5 Best Practices for Reporting to Your Board About Cybersecurity.