Advice for the CxO from a CFO.
It has become clear to many healthcare executives that their ability to secure critical information, including employee and clinician records, as well as patient information, directly affects their hospitals’ overall long-term competitiveness. There's nothing like a HIPAA violation or the loss of hundreds of patient records to shake confidence in a healthcare organization's management (and, hence, the organization itself).
Serving as the CFO of a company that develops and markets data security software has given me a unique perspective on the business impact of information protection. The view comes not just from our own company, but from working directly with dozens of my counterparts and their security officers at numerous Global 2000 client companies over the past few years. The evolution of how large and medium-size companies secure their most important digital assets has helped shaped my views for the strategic role CFOs and other non-IT execs should play to maximize the investment in information protection.
In just a few years’ time, I have seen the motivations for organizations to protect proprietary data evolve from basic regulatory compliance to avoid fines and penalties to, in a growing number of cases, a fight for survival in an increasingly competitive global marketplace. Of course, with WikiLeaks and other high-profile corporate data leaks, CEOs and CFOs (as well as general counsels) are motivated more than ever to make certain that their organizations stay out of the Wall Street Journal because of a failure to protect their most valuable asset – their data – which translates into their brand.
A company's data security strategy must start with executive leadership and sponsorship at the CMO, CFO and CIO level. I have witnessed how protecting key data from misuse or theft can affect several aspects of a company’s value chain, including:
- Protecting patient information from those who would steal or misuse it;
- In the commercial world, affecting a new product’s manufacturing, pricing or market introduction, which could impact both the delivery and price that a hospital might pay for new technology;
- Defending a core competitive advantage; or
- Increasing the collaboration of sensitive information or intellectual property (IP) between strategic partners without increasing its risks.
The success of a well-thought-out data protection program depends entirely on how serious and committed senior management – particularly the CFO and CIO – is to investing the time and funds to support a culture that is accountable for data protection.
A lack of executive leadership contributes to one of the most common mistakes when companies make ad hoc investments in data security (to save a few dollars in the short term) without looking at the longer-term needs of the organization. This often happens when there is no overall dedicated program strategy and results in serial “point” technology acquisitions that attempt to reactively address security problems in isolation that are holistically linked.
The most successful programs I have seen are those organizations whose leadership has made information protection a true strategic initiative to preserve the long-term value of their data, and they back that commitment up with sufficient on-going resources, be it in the form of personnel and/or the right technology. This usually requires the CFO to have an active voice to ensure data security investments support a single, long-term strategy and avoid costly, tactical purchases.
Another challenge facing executives is their inability to (and lack of technology that will help) predict whether a data security solution will help or actually hurt their business. By “hurt,” I mean implementing a technology or policy that ultimately lowers employee productivity because it is not sufficient to address the security need or it impedes a worker's ability to transact business, it is incompatible with a critical business process or it is simply not scalable technically or financially.
The early planning stages of a successful data security program are where a CFO (along with other key stakeholders, perhaps even including patient care advocates or ombudsmen) must contribute input to ensure the expected end results of data security are completely aligned with corporate strategy.
The flip side of determining a program’s strategic objectives is defining its success metrics. In other words, how do you know if data security delivers what the business needs? Finding yourself on the wrong end of a HIPAA action is one way to know that a program has failed. This requirement would seem obvious in most other business contexts, but information protection is not as easily quantified as investments to maximize the return of tangible assets.
The lack of proper guidelines or evidence to measure data protection means healthcare facilities too often end up having no reliable way of pinpointing where security improvements are needed, or assessing how well a technology investment is performing. Since CFOs sit at the intersection of overall corporate strategy and asset protection and maximization, they can (and should) provide consultation for how to measure the impact of data security solutions and whether the forecasted benefits support the stated objectives.
Finally, the federal government is compelling companies to take data security even more seriously. As healthcare information exchanges become more common, and the threats are geopolitical in nature, the government has a growing interest in the state of data protection. Thus, CFOs must be prepared to play a primary role to assure shareholders and regulators, as well as patients, clinicians and other employees, that the issue of data security will not end in a loss of proprietary information or American intellectual property. The larger cause and effect of all this will likely be an enhanced scrutiny within board rooms and audit committees as directors demand assurance that their executive management teams are addressing data threats proactively.
About the author
Stephen Gregorio is senior vice president and chief financial officer of Verdasys Inc., an enterprise information protection software company. During his 20 years as a CFO, he has successfully negotiated equity and debt venture capital funding, managed both ends of mergers and acquisitions, and successfully run publicly traded companies. Learn more about Verdasys at www.verdasys.com.