Do you know your hurdle rate? Michael Carr, VP, CTO/CISO, at Health First, the Florida hospital operator and health insurance provider, recently gave a talk to the HealthITSecurity Virtual Summit that covered financial terms and metrics that a CISO should know to “be taken seriously as a business partner.” He also made a strong pitch for risk quantification (with a hat tip to FAIR).
Carr’s key points of advice:
Talk about ROI
“Gone are the days of fear uncertainty and doubt. We are moving to the more value-driven, data-driven cybersecurity strategy. If we can’t speak to the return on investment, it’s hard to be taken seriously as a business partner. If we say there’s a really scary risk out there, I need half a million dollars to mitigate, over time you tend to lose credibility.”
Know Your Company’s Hurdle Rate
“Most organizations have a minimum hurdle rate – your project must exceed some threshold before it is even being considered. It doesn’t always have to be dollars and cents, it could be time to value, it could be ease of use and implementation. But if you don’t have a hurdle rate for your cybersecurity projects and initiatives, then you really are falling back into that trap of fear uncertainty and doubt.”
Understand Time to Value
“You should pay for things based on how quickly you use them. How long will it take you implement a new solution? If it takes you a year to implement and you have a three-year contract, you’re paying for a year, but you get no value out of that. So, think about how quickly you can achieve return on investment."
“If you don’t measure up front, if you don’t set those goals, if you don’t quantify the risk, it’s hard for you to come back and say if you got the value. You have to think like a businessperson.”
CISOs in the healthcare and health insurance industry are moving Carr’s way. For a look at how Highmark Health implemented a FAIR-based risk management program, take see this detailed case study from RiskLens. Highmark achieved an $11 million return on investment for cyber risk reduction in year one. The FAIR Institute has been working with the developers of the HITRUST CSF, to bring risk quantification to the most commonly used cybersecurity framework for healthcare – learn more about FAIR and HITRUST integration.