Giving a cybersecurity presentation to the C-suite can be a challenge for even the most experienced Chief Information Security Officer (CISO). You’re often not talking to technical people, for one thing. You might look up from your carefully crafted slides about Zero Trust or third-party risk management and see glazed eyes.
Every executive at the table likely wants something different from your report. The CEO wants to know what the impact of an incident would be. The CFO wants to know about costs. The CRO is worried about risk. Meanwhile, you have your own objectives for this report.
How can you develop a rapport with your C-suite or board so that everyone can get the information they need?
More importantly, how can you communicate with leadership in a way that builds executive buy-in for cybersecurity initiatives at your hospital?
Why is effective C-suite communication important in healthcare?
There was a time when some organizations thought of cybersecurity as an “IT problem” but those days are behind us.
Healthcare groups are increasingly under attack by cybercriminals. In 2023, the industry reported 655 breaches and the exposure of more than 116 million patient records — 108% more than were exposed in 2022.
With so many threat actors targeting the healthcare industry, cybersecurity is no longer the sole responsibility of the IT department. It’s an organizational issue, and as with all business problems, buy-in must start at the top.
Building consensus with leadership
Talking to executives is a relatively new experience for CISOs, who usually come from technical backgrounds. As Fortified board member Paul Connelly explained in a recent Substack post:
“Twenty years ago, most CISOs were subject matter experts who discussed technical issues in depth with audiences that were mostly within the IT world. Today, most CISOs still have high technical knowledge, but their audience has changed dramatically – in addition to IT partners, they must also regularly communicate with business leaders and the board.”
This new responsibility might be a bit unnerving, but it’s also crucial.
Effective communication with the executive team helps generate support for cybersecurity initiatives in the C-suite:
Foster a trust relationship with leadership
You don’t want to meet with the C-suite for the first time in the wake of a data breach. Regular communication proactively builds a relationship with leaders. If an incident does happen, they’ll know and trust you already.
Educate leadership about the impact of an incident
Unless they’ve already been through a cyberattack, your leadership may not understand the magnitude of a breach’s impact. By explaining the business, legal, and technical implications of a breach, you can better explain how to prepare for and prevent attacks.
Provide insight into cyber risks
Cyber risk comes in a variety of forms, from external actors to internal behaviors. By communicating with leadership, you can educate them about the risks at your organization, which will help the business address those issues.
Strategies for improving communication with leadership
Not every CISO comes to the job innately knowing how to talk to leadership. However, communication with the C-suite is a skill, and like any skill, it can be learned.
Here are some examples of strategies for fostering a relationship with the leadership at your healthcare organization.
Speak their language
As CISO, you speak to technical people all day, every day. You talk to the IT team, your security team, and vendors. Acronyms, product names, and other IT jargon is part of your vocabulary.
However, most hospital executives don’t come from a technical background. To make sure leadership engages with your presentations, translate technical jargon into business-centric language. This will relate cybersecurity to the broader business issues faced by your organization.
“How well you communicate with different levels and groups is a major factor in how successful you can be as a modern CISO,” says Connelly.
Here are some examples of how you can address security problems from a business perspective:
- How much money might a cyber security initiative save the company?
- Can an initiative reduce cybersecurity insurance premiums?
- What’s the financial, legal, and reputational impact of a data breach?
- How would a ransomware affect the daily operations of your organization?
Find a cybersecurity champion
One of the best strategies for improving your communication with the C-suite is to build a strategic relationship with at least one member of your executive team.
Risk, Compliance, and Privacy officers are natural allies for the CISO; despite different focuses, each role is concerned with risk and security. All three roles also have a longer history in the healthcare industry than the CISO and can help further cyber security initiatives by tying security to risk and privacy.
By creating collaborative relationships with one or more executives in these roles, you can learn the language of the C-suite and start building consensus within the leadership team.
The following are some steps for building a relationship with your cybersecurity champion:
- Share a draft of your presentation with them beforehand and ask for feedback
- Be open to that feedback and incorporate it into the presentation
- Acknowledge and thank them for their input in your presentation and other relevant communications
- Work with them consistently
Show, don’t just tell
It’s important to keep your audience engaged when you’re giving a presentation. Most executives may not respond to slide after slide of data and metrics. Instead, use your data to tell a story.
Say you’re giving a presentation on vendor risk, and your goal is to change the way third-party cyber risk is managed at your hospital:
- Set the scene. Tell them why third-party risk is an important issue, and why they should care. Relate the issue to your organization using specific examples. Which healthcare breaches at organizations like yours were caused by vendors? How much did those breaches cost?
- Tell a story. What was the impact to those organizations? What was the impact it terms of revenue, or the ability for nurses to provide patient care, such as timely and safe medication administration if systems are down.
- Tie it to organizational goals and challenges. How does reducing risk help your organization achieve its goals or resolve challenges? For example, if boosting staff retention is a major goal for the hospital, it’s important to point out that a major data breach will influence retention.
- Present solutions: Important though it is to highlight problems and discuss data breaches, Connelly points out that a presentation should highlight solutions to those problems. Make sure you have actionable solutions to the issues you’ve pointed out in your presentation.
If you don’t have access to leadership yet
Although cybersecurity has gained the attention of leadership in many healthcare organizations, that’s not always the case. Some CISOs simply do not have access to the executive team.
If that’s the case for you, it’s important to develop strategies that will get you in front of the C-suite — even if they have no interest in cybersecurity. This is where a strategic alliance can be beneficial. Working closely with a Risk or Privacy officer can help get you in front of the leadership team.
You might, for example, be included in their annual presentation. You can also ask that ally what topics are of interest to each member of the board — what sort of questions are asked during presentations, and how can you tailor your approach to each member of the leadership team.
Use clear communication to empower your hospital’s leadership
As CISO, you have important knowledge to deliver to your leadership. It’s your job to advise the executive team about cybersecurity and risk. How you deliver that information has a huge impact on the actions your executive team ultimately decides to take.
Learning how to communicate well with those leaders is a big part of your job.
Through productive, engaging exchanges with your hospital leadership, you empower your executive team to better understand cybersecurity. With your help, they can make the best possible decisions around healthcare cybersecurity for your organization.
For more insights and proven strategies for how to effectively communicate and gain cybersecurity buy-in from your healthcare executives and board, watch our on-demand webinar.