A CISO's Strategy for Winning Funding

Pinpointing Risks Helps Gain Buy-In for Security Investments
Making senior management aware of the risks involved in failing to invest in security technology is essential to getting buy-in, says Phil Curran, CISO at Cooper University Health Care.

Healthcare organizations looking to optimize stretched resources face the difficult task of weighing spending options, such as choosing between investing in medical equipment for patient care or tools to improve detection of cybersecurity threats, Curran says.

"The reason for us not having SIEM [security information and event management system] until now is the cost of the SIEM, and getting our senior managers to pay for the capital costs versus a new PET scanner or MRI machine," Curran says in an interview with Information Security Media Group. He's chief information security and privacy officer at the Camden, N.J.-based health care system that includes more than 700 physicians and a hospital that's the clinical campus of the Cooper Medical School of Rowan University.

"But we finally got the capital dollars and ... we should have something in place by the end of the year," he says.

To help win senior leadership support for security investments, such as SIEM, Curran says he conducts risk assessments. "Our business leaders understand risk. On a daily basis they make decisions based on financial risk, and marketplace risk. They have a hard time understanding information risk until you put it into a risk assessment format. ... Based on that risk assessment, they provided us with that capital investment - they understood what the risks were. ..."

Assessing Threats

Curran also uses risk assessments on a daily basis to help identity and sort through the variety of potential risks and threats the organization faces.

"We've always used a risk assessment process to make a determination of whether we're going to react to a risk and prioritize how we're going to do that," he says.

"When we get an alert or a warning, the first thing we do is we look to see if we have any hardware or software that is actually affected by that alert. If we don't, then we don't react to that. If we do, we'll look at the alert and make a determination of the likelihood and the impact we have based on the controls we have in place, and then make a determination on how soon we have to mitigate that risk," he says. "We essentially follow a very systemic risk assessment process."

In the interview, Curran also discusses:

  • The external resources that his organization relies on for gaining cybersecurity intelligence;
  • Why many healthcare organizations are often reluctant to share cyberthreat intelligence with each other;
  • The biggest cybersecurity threats he sees facing the healthcare sector.

Curran has more than 20 years of experience in strategic planning, information assurance, regulatory compliance and risk management. Before joining Cooper University Health Care, he spent 20 years in the U.S. Air Force.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.