© 2017 HITRUST Alliance.

Engaging Executive Leadership and the Board of Directors in Information Security Management Robert Booker, UnitedHealth Group Omar Khawaja, Highmark

© 2017 HITRUST Alliance.

Agenda

1.  Management Needs 2.  Education for Awareness 3.  The ONE Question 4.  Tools and Tactics

© 2017 HITRUST Alliance.

Management Needs

•  Understanding –  of the problem and need

•  Benchmarking –  Are we doing enough? Too much?

•  Confidence –  In you, your program and your outcomes

© 2017 HITRUST Alliance.

Management Needs … Understanding

•  …of the problem •  In plain and non-technical terms •  Using business and external context

•  Management are risk managers and do not need Fear, Uncertainty and Doubt

© 2017 HITRUST Alliance.

It’s ok to take risks, as long as we do so deliberately and

responsibly

© 2017 HITRUST Alliance.

Management Needs … Benchmarking •  Where should we be? •  Are we there? •  Where are others? •  Are we doing enough? •  How much is enough? •  What should we eliminate?

•  Objective measures are critical

© 2017 HITRUST Alliance.

“That’s how we did it before” is not a good

reason to keep doing it

© 2017 HITRUST Alliance.

Management Needs … Confidence •  Who are you with at the leadership table?

•  Do you have a plan? •  How do you know it is correct? •  Who do you sharpen it against?

•  How do you measure and monitor?

•  Do you have a plan for that day?

© 2017 HITRUST Alliance.

Even Volvos get into accidents

© 2017 HITRUST Alliance.

Who is educating Management and the Board

•  Who are they? •  What are they saying? •  Are they working with you? •  Who else do they know and work with?

•  What has management read recently? •  Are you providing context?

© 2017 HITRUST Alliance.

The ONE question?

© 2017 HITRUST Alliance.

Four Corners for the Board Benchmark

Positive Trend

•   Industry comparisons •   Fortune x comparisons •   Consider maturity and completeness

over spend and staff size

HITRUST Maturity Model

Positive Trend

•   Measures operational maturity of basic security capability

•   Current rating of … •   Enterprise goal is … •   2017 goal is …

Reportable Matters

Situational Considerations

© 2017 HITRUST Alliance.

Explain Measures

-1 Policiesareused

1

2

3 4

5

Policiesandsuppor/ngproceduresandtechnologiesareconsistentlyused

Policiesandsuppor/ngproceduresand

technologiesareused

Consistentlyproducesandac/velymonitorsstatusmetricsforinforma/on

securityprogram

Rou/nelyconductsteststoevaluateadequacyand

effec/venessofimplementedcontrols

1

2

3

4

5

© 2017 HITRUST Alliance.

All data is not created equal… context matters

© 2017 HITRUST Alliance.

In conclusion… 1.  Business leaders are risk managers 2.  They require confidence that we are engaged and on

top of this risk 3.  They want us to be part of the leadership team as

leadership responds 4.  They want to know that we are reasonable and

complete in our approach 5.  They need context for discussions with others 6.  They want to know we are prepared for the crisis

© 2017 HITRUST Alliance.

When you find yourself in a hole,

stop digging

© 2017 HITRUST Alliance.

Visit www.HITRUSTAlliance.net for more information

To view our latest documents, visit the Content Spotlight