Executive summary
THE VALUE OF cybersecurity should be crystal clear to life sciences and health care boards and leadership. Cybersecurity attacks and data breaches seem to be in the headlines almost daily, and sobering statistics are everywhere. The number of patient records impacted has nearly tripled in just one year, jumping from 5.5 million breached records in 2017 to about 15 million in 2018.1 Health care data is valuable, and cybersecurity incidents can mean major costs for companies.
Operations, for example, could be held hostage, the supply chain could be disrupted, legal fees could
mount, and organizations could suffer meaningful but often difficult-to-quantify losses of reputation
and consumer trust.
But communicating this risk to senior leaders and the board can be challenging, according to our
research. “Cybersecurity is a top priority,” one life sciences chief information security officer (CISO)
told us. “But, there are many top priorities.”
The board and senior leaders of life sciences and health care organizations are dealing with cost
pressures and tightening margins, digital transformation, merger and acquisition activity, and fierce
competition around consumer engagement. The role of the CISO is to support those broader concerns—“
and do the best we can to minimize the risk and get the best value for the dollar.” Cybersecurity
communication is more than only communicating the bad things that might happen and explaining
how the team is mitigating risks. The cybersecurity team also plays a key role in facilitating a seamless
experience for consumers, and helping the organization make the best use of its data.
Board members (tasked with governance issues) or executives in senior leadership roles (tasked with
operations) of life sciences and health care companies might not have a clear understanding of the
interplay between cybersecurity and the business.
Even though these leaders might rank cybersecurity as a top priority, when it comes to action, they might
not fully understand and be able to act on the advice coming from CISOs and chief information officers
(CIOs) in the best possible way.
To help identify leading practices for communicating the value of cybersecurity to boards and
leadership, the Deloitte Center for Health Solutions interviewed 18 CISOs, CIOs, and C-suite executives
from biopharma companies, medical device manufacturers, health plans, and health systems, who are
involved in making decisions around cybersecurity.
Our goal was to find out what is working and what challenges lie ahead.
We identified seven strategies organizations should consider to improve their communications
around cybersecurity to their board and leadership (see figure 1). CISOs and CIOs told us that a major goal underpinning their communication strategies is to help board members and senior leaders move to
a “cyber everywhere” approach: an understanding that cybersecurity goes beyond the information
technology bucket and can help reduce risk across the enterprise.
