Written by: Renee E. Broadbent
Data security is a topic that is widely debated and discussed, yet managed and implemented inconsistently across organizations. On one end of the spectrum, the management and protection of critical data assets is left to IT. IT department resources are often proficient technically, but lack the regulatory and business-based knowledge necessary to take proactive measures. On the other end of the spectrum, organizations designate security officials who manage data security from a strategic level. A vast majority of organizations fall somewhere in the middle. Many do not have a designated official—an Information Security Officer (ISO). In fact, in a recent poll by Cyber Talk, well over half the organizations that participated didn’t have a designated security official—leaving their businesses vulnerable.
The lack of an ISO is frightening. What should be even more alarming is that many organizations lack an information security strategic plan—and, oftentimes, those that do have a plan may be implementing tactics that are ineffective or outdated. As a result, information security lacks focus and consistency across the enterprise—rendering a higher cybersecurity risk and leading to a greater likelihood of a security breach. If organizations continue to view strategic planning as impractical or unnecessary, they are less likely to effectively manage information risk (Health IT News).
According to Health IT News, 90% of the world’s data has been generated in the last two years, making a data security strategic plan, led by a Chief Information Security Officer (CISO), a critical part of any organization’s overall strategy.
All industries face challenges regarding data security, and each carries valuable information that tempts cyber criminals. The result of a data breach can have a long-term impact on an organization, including loss of customer trust, which can result in serious financial consequences. Additionally, a data breach does not just affect the year it occurred—it bleeds into subsequent years. In year one of a breach, an organization can expect to incur 67% of the cost to rectify the damage. However, in years two and three, those numbers are 22% and 11% respectively (Ponemon 2019). This can result in serious reputational damage, which is often difficult to recover from.
Technology is becoming increasingly complex, and most organizations are migrating data to third-party cloud solutions for ease and cost effectiveness. But, this creates other challenges, because a breach by a third-party only amplifies the cost of damage control and the impact on the organization. Additionally, new threats are constantly emerging, so a sound training and awareness program regarding cybersecurity is necessary.
So how can you can get ahead of something that is constantly evolving? It’s simple—make data security a priority and integrate it directly into the corporate strategy. Security needs a seat at the executive level in order to be effective. It can no longer be ‘stuck in the basement’ as an afterthought.
The importance of a CISO role is immense, and having a CISO as your designated security official to focus on strategy is a step in the right direction to help protect your organization. The ideal candidate will have both technical and business-based acumen, and will be able to spark a change in the organizational mindset from security and compliance to risk strategy and management. For those organizations that may not want to hire a full-time CISO, a virtual Chief Information Security Officer (vCISO) is a great option.
With a vCISO, you receive a top advisor with a wealth of experience in the field at a lower cost. The vCISO can help you define and implement your strategic plan, and as the client, you have the ability to control the cost—making this an effective and desirable solution.
Benefits of a vCISO:
- The ISO role is hard to fill. And, due to salary requirements and organizational experience, supporting the function of an ISO is a difficult proposition. An experienced vCISO can fill this role at a fraction of the cost of a full-time staff member.
- Organizations remain focused on “defensive” security. An effective vCISO will help move your organization from a defensive strategy to a proactive approach to data security. The right partner will allow you to leverage the full power of its resources to understand your risks and create remediation plans accordingly.
- A 2018 study by IBM reports the global average cost of a data breach is up 6.4% over the previous year—reaching $3.86 million. The average cost for each lost or stolen record containing sensitive and confidential information also increased by 4.8%, reaching $148.9 million.
Protecting your data is serious business. It’s your job as an organization to ensure that you are in compliance with all the security laws governing your business and industry, and to ensure the highest level of protection for your most valuable assets. It’s not a matter of if a breach will happen—it’s a matter of when. Having the necessary security measures, including your designated security official, is key to surviving a cyber-attack.
About Wolf & Company, P.C.
Wolf & Company is entering our second century providing assurance, tax, risk management, and business consulting. Clients can expect direct involvement from the Firm’s owners and senior management, and responsive service from a multi-disciplinary team. Our collaborative service strategy enables us to develop a deep understanding of clients and their business needs, and to maximize opportunities while navigating any potential obstacles.
Wolf’s areas of focus include Financial Institutions, Investment Advisors, Healthcare, Technology Companies, Manufacturing, Distribution, and Retail Companies, and Private Clients. The Firm employs over 250 people, is registered with and inspected by the PCAOB, and is a member of Allinial Global, a national and international affiliation of CPA firms.
Wolf’s vCISO Advisory Practice performs a Current State Assessment (CSA) to understand your business, provides you practical ways to assess risk within your technology environment, and helps make sure you are meeting regulatory standards and industry best practices. Our vCISO practice has proven former CISO’s that can provide consulting and flexible remediation.
About the Author
Renee Broadbent, MBA, HITRUST CCSFP, serves as Senior Manager, vCISO Services, for Wolf & Company, where she develops, implements, and provides vCISO services for clients. She is a senior-level healthcare executive with an extensive background in information security, strategic planning, information technology, HIPAA, data interoperability, and value-based care.
She has held the role of Chief Information Security Officer and Chief Information Officer in both hospital health systems and Managed Care Organizations (MCO).
Most recently, Renee served as AVP of Population Health Information Technology and Strategy at UMassMemorial Health Care in Worcester, Massachusetts. She was part of the leadership team that achieved $22 million in savings for the Accountable Care Organization, and was a member of the Cyber Security Executive Committee, which provided oversite to the health system on the execution of the data security strategy.