This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
📍 Today in Health IT, we're discussing CFOs suiting up for cyber war as risk management evolves. This episode is brought to you by Omnissa, the first AI driven platform enabling seamless, secure, personalized work experiences. Discover more at ThisWeekHealth. com backslash Omnissa. My name is Kate Gamble. I'm Managing Editor for This Week Health, where we host a set of channels and events dedicated to transforming health care, one connection at a time.
I've spent the last 12 years interviewing CIOs, and I'm excited to bring that knowledge into this community of leaders. Today we're talking about CFOs suiting up for cyber war as risk management evolves, and I'm joined by Sarah Richardson, President of This Week Health 229 Executive Development Community.
Sarah, welcome to the show. Always great to see you, Kate. Today we're talking about how chief financial officers are increasingly involved in cyber security as digital transformation heightens risk. So CFOs, of course, traditionally focused on financial risk, but now are working with IT and security leaders to safeguard assets from cyber threats.
data breaches, third party risks. This shift is crucial for protecting financial data, mitigating disruptions, and ensuring compliance. We know that cyber attacks are happening. With greater frequency than before. And with the industry becoming so reliant on digital tools, it could potentially get worse. So it's really important for all the C suite members to be stakeholders. And that includes CFOs, because cyber attacks can lead to financial losses, whether it's from ransomware, business reputational damage.
so just wanted to, get your thoughts on. The CIOs working closely with CFOs and why that's so important and how they can go about doing that.
I love this question, or this whole idea of the CFOs becoming increasingly tasked with cybersecurity as a part of their responsibility because today many CIOs still report to the CFO.
Over the years, we've seen that dynamic change a bit. Sometimes it's to the COO, sometimes it's to the CEO and again. Regardless of to whom you report in any role, having the C suite be aligned on the importance of certain aspects of things like cybersecurity is huge. Now, the fact that protecting yourself and your organization has become to a degree more of a frontline conversation and a frontline conversation when it comes to budgeting, that The financial data being as much of a target in some cases, if not more so than the PHI and the PII, these are things that If you don't report to the CFO, you're having these constant conversations with them.
If you do report to them, then you are also thinking about how you are structuring the budget and opportunities within the organization to be able to fund things like data protection, making sure our patient financial data and patient health information is Secure. The collaboration with the finance teams.
What is their handling of the data and information look like? And I've worked with that with financial teams that, that first group to pull down their own cube and run their own reports or be able to start looking at some of the ghost IT operations. Have IT embedded in finance really, tightly.
Understanding that operational continuity And how cyber risk can disrupt healthcare services. One of the key questions is how much cash on hand do you have? Because if you did an average of downtime associated with either ransomware outages or other effects that we've seen even this year from many of our peers, you need to have about a month worth of cash on hand to cover your costs.
Some of your responsibilities, and that's not always true for some of these systems. And then really leaning into the regulatory components, it's yes, we have to meet strict data protection standards, but getting to clean data and data sources that are trusted and modeled, whether we're using them for AI or otherwise, and some of the decision support capabilities, that's not a one time endeavor.
Being able to fund appropriately and really manage the governance around all aspects of your data programs is an ongoing mechanism in the organization that is so important for everyone in the C suite to be aligned upon, but really for the CIO and the CFO to go into these meetings aligned ahead of time so that it's not, Hey, can you guys take this away and tell me this modeling feature for how much this is going to cost for this piece?
It's a separate conversation outside of the larger governance group so that the CFO are constantly aligned on the cost of making sure we're doing the right things when it comes to data and cyber hygiene.
Yeah, really interesting. And of course, for CIOs, having to justify spend is not anything new, but does the conversation change a bit when you're talking about cybersecurity and getting those funds?
It does because you're going to have your insurance policy and either goes up or down based on your ability to meet certain requirements or have certain certifications. I think about how important it is to be high trust certified for many organizations. That alone allows you to often have a reduction in the cost of your cyber insurance.
But now, With all of the effort we have placed in going to platform systems, many of them SaaS based, many of them large and holding big components of operational capabilities, securing that third party vendor relationship is going to be huge. And then evaluating them for security vulnerabilities and ensuring that the ongoing training is not just with your employees, It's also with your partners and then appreciating what your entire enterprise architecture looks like.
You're already in a relationship with your key partners. When your key partners know the vastness of your ecosystem, how many platforms you have, how many point solutions you have, integration components, all of those factors matter. And too often we're seeing that the entry point for a lot of the nefarious actors is coming through some kind of a connection between you and your third party or a program that the third party is utilizing.
That alone is worth a conversation ongoing with both the key partners. The vendor management component, so security, risk, compliance, legal, that whole group, often in that realm of the CFO or chief legal officer, needs to be something that you're talking about regularly, and especially when it comes to the financial considerations through ongoing operations and budget season.
I like how you brought into this conversation, vendor management, third party risks, that's such a huge part of this too, and, really, I think we're seeing more emphasis on that now because, like you said, how some of these attacks are originating. So that's, That's just such a big part of this.
And for the CIOs who don't report to CFOs, is there any kind of tips or advice you can give for really making sure that they're. , building that alignment.
Oh, absolutely. Because here's the thing I've done forever. I learned this years ago in a class was stakeholder analysis.
Make sure you know who are your supporters and who are your detractors and, where on the continuum they are. Are they weak or are they strong in both? And because the relationship with some members of your C suite is going to be more often than others. You may meet with the CFO once a week. Or every couple of weeks. I think about how much weight each person on the team carries. And in different organizations, it's different. It could be based on legacy, tenure, etc. The CFO is one of those roles that you have to be in lockstep with all of the time. It may be the person that you go toe to toe with the most often as well.
And some of my favorite relationships I've had with CFOs, it's the one that I typically May disagree with the most on overall approach, but because we're willing to hear the other person out and really listen to one another. Then we're able to figure out a solution that when we get to the larger group, they may see a spar a bit.
They also see that it is a respectful spar that allowed us to get to the best outcome for the organization. You want those relationships. You want to have a little bit of give and take with anyone with whom you need to negotiate internally, because if you get your chops negotiating internally down well, then when you face outward and you and your CFO, regardless of reporting structure, are having a conversation with that partner.
You're already united front and sometimes that good cop, bad cop can play really, effectively into things like negotiations and holding vendors accountable for things that may come up. So whether you report to them or not, make sure you know how often you need to be speaking to that person and finding common ground.
You're both there for the same reason. So when you start with a commonality, you can often overcome some of the other challenges that may exist in that relationship.
And, as we can see, it's so important that these relationships are built and maintained and that, these important discussions are happening.
And sometimes the relationships that are the hardest to create and build are the ones that are the most with standing as we go forward, because you had to put the extra effort into making it one that was positive.
Definitely. Good stuff. Don't forget to share this podcast with a friend or colleague.
Use it as a foundation for daily or weekly discussions on the topics that are relevant to you and the industry. 📍 They can subscribe wherever you listen to podcasts. Thank you for listening. And that's a wrap.