Privacy & Security

5 tips for winning a bigger cybersecurity budget

Hint: Getting breached, while far from ideal, will almost always work
By Tom Sullivan
November 16, 2015
09:15 AM

Despite the constant stream of data breaches and ever-larger criminal attacks against healthcare and other organizations, CIOs and CISOs are facing a stumbling block when trying to win approval for a larger security budget: Upper management questioning whether they can execute on proposed projects. 

So how to convince them?

Researchers uncovered a fistful of tactics while compiling a report titled Identifying How Firms Manage Cybersecurity Investment. Authors Tyler Moore, Scott Dynes and Frederick Chang of the Darwin Deason Institute for Cyber Security at Southern Methodist University in Dallas offer the following five tips.

[Learn more: Meet the speakers at the HIMSS and Healthcare IT News Privacy and Security Forum.]

  1. Get breached. The most dangerous, and perhaps obvious, technique is also a sure-fire guarantee. While no healthcare organizations would or should intentionally trigger a breach, one CISO told the researchers that "upper management has gotten religion about how important security is." Translation: organizations that have been breached tend to react with substantial security investments.
  2. Make security real. Short of an actual breach, of course, there are ways to instill the security religion. Demonstrating existing vulnerabilities is one; another is to point to high-profile breaches such as Anthem and even to institutions outside healthcare, most notably Target. Dig a bit deeper than the headlines to find out what happened, how much it cost the organizations and other ramifications as examples of what is possible and, in turn, should be taken into account within a corporate-wide security strategy.  
  3. Institute a framework. The authors described this as a "tried-and-true" approach and explained that "a custom framework built on ISO and NIST guidelines has satisfied management that the CISO has a solid plan for investment." In addition to using the framework to demonstrate vision, many CISOs reported harnessing it as a communications platform for "bridging the gap between IT thinking and business thinking," by using the tool to make security threats and risks more clear, easier to understand.
  4. Play the compliance card – but do so wisely. It's a mantra chanted time and again in the healthcare realm: security-by-compliance just doesn't cut it. Indeed, meeting HIPAA requirements is not enough but providers must manage just that and, as such, compliance is an effective way to get projects funded. But "the most effective CISOs tended to avoid making cases based primarily on compliance alone. As one CISO remarked, 'I try, in everything that I communicate about why we're investing in security, I always try to make the compliance argument the last thing because I think that way too many programs are aligned around 'What's the minimum thing I have to do to get a check mark? And if I get a check mark I must be fine'. I don't really talk about the security program from a compliance standpoint very often."
  5. Consider return on investment. This is a difficult tactic because cybersecurity has traditionally been viewed as something of a cost center, with One CISO saying "in security, ROI is a fallacy," and only a small number of participants indicated that they use ROI metrics. "The interviews themselves made clear that there was much more focus on process measures than outcome measures," the authors wrote. "A focus on controls – finding and fixing gaps between current and desired cybersecurity posture – dominates. There is much less focus on the actual results of cybersecurity efforts, such as examining costs and the effectiveness of controls."

Flipping the perspective around offers another finding to be bear in mind: What's not driving larger investments?

"Cost reduction was only selected as a top driver by one respondent. Even though security is often portrayed as a cost center to the business, few CISOs view security spending as an opportunity to reduce costs for the firm. Customer requirements, while selected by a few respondents, is also not widely seen as a driver of security investment."

What tactics have – and which have not – worked to earn you a bigger cybersecurity budget?

See also:
CISOs: Healthcare's new rock stars
CISOs and CIOs: Why can't we be friends?
4 takeaways from Ponemon's 2015 healthcare security report

Topics: 
Business Intelligence, Privacy & Security, Workforce, Financial/Revenue Cycle Management, Compliance & Legal

More regional news

Capitol rotunda at sunset

Congress releases AI policy blueprint

By
Andrea Fox
December 20, 2024
Epic booth at HIMSS global conference

Epic files to dismiss antitrust lawsuit

By
Andrea Fox
December 20, 2024
Representatives of NUS Medicine, Kailuan General Hospital, Tianjin Medical University, and Tianjin Medical University General Hospital pose after signing their MOU

Chinese hospitals join NUS Medicine's big health data project

By
Adam Ang
December 19, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Server room
Another House bill aims to protect against hospital cyberattacks

Most Read

My Health Record sharing law eyed and more briefs
Epic asks court to throw out 'baseless' Particle Health lawsuit
FDA releases its stance on regulating AI in healthcare
CHAI: Look for healthcare AI model 'nutrition labels' soon
New DiMe platform validates digital health software
Evernorth taps Transcarent for digital cancer program

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

John Saran at Holland & Knight_Modern office buildings in London Photo by Tim Grist Photography/Moment/Getty Images
PE and healthcare investment: What's next for 2025
Sponsored by
Healthcare worker talking to patient
New infusion pumps may help lighten nurses’ workload
Dr Chien-Tzung Chen 4t Linkou Chang Gung Memorial Hospital_HIMSS24 APAC
Linkou Chang Gung Memorial Hospital eyes remote patient monitoring at home
Dan Torrens at eHealth Technologies_Blockchain in healthcare concept Photo by ArtemisDiana/iStock/Getty Images Plus
Getting providers from point A to B

More Stories

Dr. Eric Liederman, CEO of CybersolutionsMD
Q&A: CybersolutionsMD CEO on preventing cyberattacks
Change healthcare booth
Nebraska sues Change Healthcare over ransomware attack
Vijayashree Natarajan of Omega Healthcare on AI
Three for 2025: data security, cancer informatics and agentic AI
Capitol Hill
Congress looks set to extend telehealth and hospital-at-home flexibilities
Josh Di Frances at LG NOVA_Top down view of startup team Photo by NanoStockk/iStock/Getty Images Plus
What a startup pitch competition shows about IT innovation
Ravi Teja Karri of Froedtert Health on AI
Using AI and ML in predictive analytics for bed demand forecasting
Abstract image of AI brain and technology
ASTP updates HHS AI Use Case Inventory for 2024
Female doctor on laptop smiles at patient in foreground who is taking notes
Report shows overwhelming doctor support for virtual care