Vulnerability management can often feel like a thankless job, especially when your leadership team has a difficult time understanding the progress you’re making. We’ve found that the most successful security programs are the ones that are able to align their objectives with the business goals of the organization.
By showing your non-technical audience measurable progress in the context that resonates with them, you can:
Raise your leadership team’s confidence in your program
Increase their willingness to “buy in”
Justify future investments in security programs
We (virtually) sat down with Richard Kaufmann, CISO of healthcare company Amedisys, to get a firsthand perspective of the importance of measuring value in terms of business impact and successfully securing more budget—especially during these tumultuous times.
Q: In general, how do you measure the ROI or value of your information security program?
A: For a healthcare company, the historic answer to this question would be something along the lines of protecting patient PHI and PII, but to a modern security program, our job within the healthcare vertical extends far beyond this basic capability. Preventing non-authorized PHI and PII disclosures aren’t even table stakes these days—they’re the cost of the buy-in. Many healthcare organizations’ security budgets are fractions of the potential cost of a data breach. Our company measures the value of our security program as a percentage of this exposure, but we also take into account the number of cyber-attacks that are unsuccessful, as well as the near misses, on an annual basis.
Vulnerability management and threat intelligence is a great example of how we approach this. Through threat intelligence, we can say to our organization, “Here is what most of t ..
Support the originator by clicking the read the rest link below.
