Why CISOs need to build better business cases for data security

Feinstein Institute for Medical Research, North Memorial Health Care of Minnesota, and St. Joseph Health System made the headlines recently with their million dollar settlements for their data breaches. This means there are a few more executives added to the ranks of those wishing they spent more time, attention and resources on security.

The topic of security continues to be a major healthcare industry pressure and is becoming a board-level agenda item. So why do security initiatives such as laptop encryption still seem to lack adequate funding, prioritization and support—until a breach or lawsuit occurs or HIPAA auditors demand change?

These executives, like many more before them, weren’t convinced that certain security efforts or initiatives were important enough to receive funding. Maybe they didn’t know that security requires ongoing investments coupled with effective and consistent management and execution.

Of course, all executives have competing priorities with finite resources. So maybe part of the problem is that those selling security to these executives didn’t have a valid business case that demonstrated how results could be delivered and the value it could bring.

The overall budget for security-related costs is often within decentralized healthcare organizations and resides with a number of different clinical, business and technology areas. Typically, the easy business case to make for security investments comes from improving the organization’s overall security posture.

However, CISOs will have to redesign this undemanding path toward an approach for making business cases in terms executives can appreciate and directly connect to the organization’s top strategy goals and objectives. Making more effective business cases can help to gain investment dollars and increased control for a budget not always under a CISO’s direct management.

Security investment decisions are only as good as the business case process. The first step in this process is to define the security initiative well enough so that decision makers can make informed choices. Business cases do this by helping executives understand the business value of the security investments, and decide whether to fund them. They justify the security investments and guide the subsequent work. In short, they drive results, and not just promise them, because they’re used to ensure the project and the benefits are delivered.

Each business case is a critical input to the following management processes:

• Security funding and investment appraisal and prioritization
• Operational control and coordination
• Benefits realization

Effective business cases avoid common shortfalls. Healthcare executives are often asked to approve large capital investments based on flimsy business cases that:

• Aren’t aligned with corporate plans, objectives and strategies.
• Focus on technology rather than on the needed changes in processes and people that will achieve the benefits.
• Ignore major risks or how they will be mitigated.
• Don’t quantify all potential benefits, who will achieve them and how they will be measured.
• Have little or no involvement or ongoing commitment from stakeholders.
• Aren’t used to institutionalize new ways of working and the resulting benefits.
• Aren’t used to guide the projects from analysis through implementation.
• Aren’t documented and communicated clearly and credibly.

Business cases can generally be viewed only as documents for gaining funding. Once approved, they are put away. Many healthcare organizations track project costs against estimates. But few seriously track the business benefits the projects actually achieve.

CISOs can help build effective business cases and leverage their use by:

Develop effective cases collaboratively. Effective business cases are developed using a business-driven, inclusive process that avoids three common shortfalls by:

• Involving all stakeholders to ensure approval and ongoing support.
• Focusing on how the business will achieve changes related to both processes and people.
• Identifying all potential benefits and who will achieve them.

Fully document and communicate. Effective business cases fully document and clearly present the information decision makers need and avoid three other common shortfalls by:

• Linking the business case to business strategies, plans and objectives.
• Describing the major risks and how they will be mitigated.
• Packaging the business case while boosting its credibility.

Leverage effective business cases after approval. Effective business cases add value throughout the entire project life cycle. They are used for:

• Guiding and assessing project execution.
• Tracking how well process and people changes are being institutionalized, and the realization of benefits.

Healthcare organizations need to continually invest in security to successfully minimize incidents and breaches. As a result, it’s important to choose the right investments and to make sure they deliver.

Unfortunately, security business cases can fall short. But CISOs can revamp their approach and build effective business cases by avoiding common shortfalls and focusing on results and the value that they bring. Effective business cases significantly improve the odds of project success because they generate stakeholder commitment and not just support, they are credible, and they guide the work to ensure that expected benefits are realized.