Trend: “Cybersecurity outcome-driven metrics: Bridging boardroom communication gap” As Gartner puts it, “Outcome-driven metrics (ODMs) are increasingly being adopted to enable stakeholders to draw a line between cybersecurity investment and the delivered protection levels it generates”—particularly when it comes to communicating to executive leaders and the board.
ODMs measure the impact of your security investment and allow you to communicate effectively with executives who don’t have a technical background. For instance, tracking metrics such as mean time to detect or mean time to respond allows you to measure the effectiveness of your incident response plan. When the ODM improves, it signals that the security investment is returning stronger protection. If it declines, that indicates a drop in protection.
If you’re currently focusing on cyber maturity, focusing on ODMs represents a mindset shift—and one Avertium recommends. While cyber maturity looks at those things you have in place, ODMs look at the performance of them. The benefit is ODMs can and should clearly tie back to business objectives. The metrics can demonstrate how cybersecurity measures contribute to those objectives, from maintaining customer trust to protecting intellectual property.
Showing your stats to the board and other executives can feel daunting, particularly if those stats show you’re immature in certain areas. The instinct may be to hide those results from company leaders for the fear the data will be interpreted as weakness. In reality, the customers Avertium has seen be the most successful at building strong long-term security programs are the ones who use those potentially negative results as an opportunity to advocate for the funding and staffing needed to improve ODMs.
Trend: “Resilience-driven, resource-efficient third-party cybersecurity risk management” Many healthcare organizations have a multitude of third parties, and the risk that represents is well known. Gartner suggests moving away from “front loaded due diligence activities” and instead prioritizing partners based on cybersecurity risk. It advises that you “establish mutually beneficial relationships with important external partners, to ensure their most valuable assets are continuously safeguarded.”
It’s a shift from the norm of just assessing vendors and a move toward developing a resilience-driven strategy around third parties across the board. Doing so requires that you work closely with your vendors to ensure they have incident response plans and resource optimization in the event of an incident. Third parties should leverage automation tools to streamline backup, replication, and failover processes.
