A CFO Shares Practical Insights on Gaining Necessary Funding
Getting the C-suite to support sufficient funding for cybersecurity requires three important steps, says Mary Chaput, CFO and compliance officer at the security consultancy Clearwater Compliance.
The first step is getting an advocate in the C-suite, Chaput says in an interview with Information Security Media Group.
"Typically, that might be the VP of risk management. But I have found that the most effective is the CFO," says Chaput, who has decades of experience as a CFO, including at two other healthcare-related companies.
"CFOs understand risk management," she says. "The IT folks and other people who have functions for protecting this information need to have a sponsor in the C-suite to have the guidance, support and feedback from an individual that's supportive of the end-game."
The second step is making it clear to leadership that cybersecurity is a patient safety issue, she says.
"This is about quality of care and patient safety, and there are ramifications to organizations that don't take a focused view on mitigating that risk. That is made up of reputational, financial, legal, regulatory and operational repercussions that can affect the financials of the organization," she says.
The third essential step, Chaput says, is forming a workgroup to "take a stab at [estimating] what a data breach would cost their specific organization," she says.
"That sometimes brings the rest of the C-suite - including the CEO - on board in investing in stronger safeguards and controls as pointed out in a bona fide risk analysis."
Security professionals need to emphasize that keeping data secure isn't just an IT problem, Chaput notes. "It is a problem of every individual and every function that creates, receives, maintains or transmits health information. And it takes the entire organization and money from various budgets to put the protections in place for that information."
In the interview (see audio link below photo), Chaput also discusses:
- How attitudes about investing in cybersecurity are changing;
- Critical considerations concerning cyber insurance;
- The potential impact on cybersecurity budgets if federal regulators attempt to recoup inappropriately paid HITECH Act "meaningful use" electronic health recordincentive payments;
Chaput is Clearwater Compliance's CFO and compliance officer. She has 35 years of operational management and financial experience for publicly traded companies in the information services and healthcare industries. Previously, she was CFO of Healthways, an employee wellness company, and ClinTrials Research, a research organization that conducts clinical trials for pharmaceutical and biotech companies.