Using Metrics to Tell a Security Risk StoryA CISO and a Security Consultant Describe Critical Steps
Metrics can help CISOs clearly communicate the potential impact of risks to senior executives and win support for a risk management strategy, say Randall Frietzsche, enterprise CISO of Denver Health, and consultant Dave Bailey of CynergisTek, who describe a step-by-step approach in a joint interview.
"What we generally find is ... the folks that run IT delivery services have a good understanding on how they impact patient care," Bailey says. "What is difficult is when you overlay security risk and how you address the risks of today - whether that be financial risk from data breaches or how patient safety is impacted by a true hack from a cyber perspective. It's really difficult to take that risk from the CISO and translate it up to the business."
To help achieve that, frameworks, such as the National Institute of Standards and Technology cybersecurity framework and the HITRUST Common Security Framework can play an important role.
Frietzsche says measuring and rating risks, and communicating that in terms that resonate with business leaders, is critical to having "a very strong foundation" in security risk management.
For instance, Frietzsche says his organization taps certain metrics to help measure and illustrate the risk level of different vendors.
"Any contracts we're going to sign with a business, we have high-level risk stratification questions," he says. That includes questions about the type and volume of data being handled by a vendor, and how that data is being shared, he says.
"Those are the risk stratifiers that tell me what else we have to do, if anything with this particular contract," he says.
Vendors are then 'tiered" in terms of their level of risk. "That's a very important key. It helps us build the relationships with the organization because ... we have the appropriate risk analysis done, but we're not holding up the business," he adds.
"From that, we assess against a set of control objectives that should be based on some framework. We use the NIST framework for that."
In this interview (see audio link below photo), Frietzsche and Bailey also discuss:
- Additional steps in using metrics to rate security risks against business risks;
- Tips for translating healthcare security, privacy and compliance risks into business risks in order to engage with the C-suite;
- Risk management mistakes entities should avoid.
Frietzsche, enterprise CISO at Denver Health, started his career as a law enforcement officer. He teaches cybersecurity courses at Harvard and Regis universities. Previously, he worked for Catholic Health Initiatives, most recently as the regional information security officer for its QualChoice Health Plans.
Bailey is director of security services at CynergisTek. In this role, he leads the execution of enterprise risk assessments. He previously served as as the director of technology and security at Mary Washington Healthcare in Fredericksburg, Va. where he served as the HIPAA security officer.