Last updated at Thu, 25 Jun 2020 13:02:00 GMT

Vulnerability management can often feel like a thankless job, especially when your leadership team has a difficult time understanding the progress you’re making. We’ve found that the most successful security programs are the ones that are able to align their objectives with the business goals of the organization.

By showing your non-technical audience measurable progress in the context that resonates with them, you can:

  • Raise your leadership team’s confidence in your program
  • Increase their willingness to “buy in”
  • Justify future investments in security programs

We (virtually) sat down with Richard Kaufmann, CISO of healthcare company Amedisys, to get a firsthand perspective of the importance of measuring value in terms of business impact and successfully securing more budget—especially during these tumultuous times.

Q: In general, how do you measure the ROI or value of your information security program?

A: For a healthcare company, the historic answer to this question would be something along the lines of protecting patient PHI and PII, but to a modern security program, our job within the healthcare vertical extends far beyond this basic capability. Preventing non-authorized PHI and PII disclosures aren’t even table stakes these days—they’re the cost of the buy-in. Many healthcare organizations’ security budgets are fractions of the potential cost of a data breach. Our company measures the value of our security program as a percentage of this exposure, but we also take into account the number of cyber-attacks that are unsuccessful, as well as the near misses, on an annual basis.

Vulnerability management and threat intelligence is a great example of how we approach this. Through threat intelligence, we can say to our organization, “Here is what most of the bad guys are doing. Here is how those TTPs look in our environment.” It usually takes us this amount of time to remediate that risk—is that remediation time acceptable? Value is an agreed-upon variable based on two parties. It’s supposed to be a conversation. That’s why engaging with our stakeholders is part of our everyday practice.

Q: Have you struggled to secure a budget for your information security program before?

A: Sure. We all have. To me, this isn’t a problem with business, it’s a problem with the approach many information security leaders and CISOs use to persuade their boards and budget committees. Chicken Little only had one sales pitch. If you’re constantly the person talking about how the sky is falling, of course you’re going to have limited results. The sky isn’t falling, it’s just the sky. Cyber-threats are real and they are ambient. The key to securing the right budget for information security is to be able to demonstrate the ability to mitigate threats on a daily basis and show how increasing security capabilities will contribute to the bottom line.

Within the healthcare vertical, my job as CISO isn’t to prevent a data breach. My job is to increase the quality of patient care. The way that I do that is through reducing cyber-threats, but at the end of the day, I’m here to make sure our patients get the right care, at the right place, at the right time. My experience is that many security teams lose focus on that core mission that keeps their companies in business. When you aren’t part of the business plan, you are just another cost center.

Q: Has COVID-19 impacted your security budget or resources?

A: Yes, but not impacted in the sense that we are investing less, we are just investing differently. The priorities of our program and the threat landscape in general has changed as a result of COVID-19, and our program is adapting to these changes. This has had an overall impact to our strategy over the next 3 years, in some areas we are investing less and in other areas we are investing significantly more.

Securing a budget for your security program is made possible through continuous engagement with key stakeholders in which you highlight your team’s impact on the business. As said best by Richard, “When you aren’t part of the business plan, you are just another cost center.” Read our blog post on translating security’s key risk indicators (KRIs) into your business’ key performance indicators (KPIs) if you’re interested in learning more.