“How to Talk to Your Board About Cyber Risk - And Actually Get Funding”

Cyberattacks on healthcare organizations are escalating, with 92% of these institutions experiencing at least one cyberattack in 2024. The financial and human costs are severe - data breaches average $11 million per incident, and nearly 28% of organizations report increased patient mortality linked to cyber incidents. Yet, 40% of cybersecurity teams cite insufficient funding as a key barrier. To secure board approval for cybersecurity budgets, you must connect cyber risks to business priorities like patient safety, compliance, and financial stability.

Key Takeaways:

• Financial Impact: Healthcare breaches cost $408 per record, far above the $148 cross-industry average.
• Operational Disruptions: 69% of organizations report care delays after attacks; 56% see postponed procedures.
• Patient Safety: Cyberattacks have led to a 50% rise in mortality rates for organizations experiencing data loss.
• Communication Strategy: Translate technical risks into business terms (e.g., financial exposure, patient care impact) and tailor your message to board members' expertise.

Boards respond to clear, data-backed presentations. Use financial metrics, real-world examples, and risk quantification models to demonstrate the cost of inaction. Tools like Censinet RiskOps™ can simplify reporting, streamline risk assessments, and provide dashboards that align cybersecurity efforts with organizational goals. Keep the focus on how cybersecurity investments protect both patient care and the institution’s financial health.

Episode 22: Funding Your ECRM Program | Putting Enterprise Cyber Risk Management (ECRM) Into Action

Know What Your Board Cares About

With cyber threats becoming a constant concern, understanding what matters to your board is essential. Board members are focused on business continuity, financial performance, and strategic goals. To secure the funding you need for cybersecurity, you’ll have to frame your message in a way that resonates with these priorities. The key? Show how cyber risks directly impact the issues that keep them up at night. Then, connect your cybersecurity plans to the organization’s core goals.

"The CISO-board relationship is one of the most critical dynamics in business today. The organization's future depends on it." - Security Intelligence ^[4]

Find the Key Business Goals

Healthcare boards typically focus on four main areas:

• Operational Continuity: Highlight how preventing system shutdowns can save millions in lost revenue and recovery costs.
• Regulatory Compliance: Stress that meeting laws like HIPAA and HITECH helps avoid hefty fines and legal troubles.
• Patient Safety: Show how strong security measures prevent care delays and safeguard patient outcomes.
• Reputation Management: Emphasize that protecting against breaches helps maintain brand trust and market position.

John Riggi, senior cybersecurity advisor at the American Hospital Association, underscores this perspective:

"Boards should elevate the issue of cyber risk as an enterprise risk management issue, on par and in the context of patient safety and care delivery. And they should ensure they receive regular briefings and updates on the cyber risk profile, and that adequate steps are being taken to mitigate the risk." ^[3]

Match Your Message to Their Knowledge Level

Once you’ve identified the board’s priorities, tailor your message to their individual expertise. Not all board members have the same technical background, so speaking their language is key.

• Financial Executives: These members respond well to cost-benefit analyses and ROI figures. Frame cybersecurity as financial insurance against potential losses. Geoff Hancock, CEO at Access Point Technology and cybersecurity advisor to Fortune 50 companies, explains:

  "The boardroom energy shifts when I start translating cybersecurity risks into financial terms. Suddenly, data breaches [aren't] abstract - they [are] million-dollar risks." ^[5]

• Clinical Leaders: Focus on how cybersecurity protects patient care. Use real-world examples of how attacks have disrupted clinical workflows and harmed patient outcomes.
• Legal and Compliance Officers: Highlight how investments in security help meet regulatory requirements and reduce legal risks.

Kirsten Davies, former CISO at Unilever, emphasizes the importance of clear communication:

"In the boardroom…the CISO has to be the translator in order to help the board interpret what exactly is the risk posture of the organization." ^[5]

Avoid technical jargon when addressing the board. Instead of saying “advanced persistent threats,” call them “sophisticated attackers targeting patient data.” Replace terms like “zero-day vulnerabilities” with “newly discovered security gaps criminals exploit.”

To make your case even stronger, use practical models like FAIR (Factor Analysis of Information Risk). FAIR helps translate cybersecurity risks into terms the board can easily grasp, such as probability, financial exposure, and business impact. This approach turns complex security issues into clear, actionable business decisions.

Finally, position cybersecurity as a vital part of the organization’s overall risk management strategy. Show how it supports long-term goals and offer solutions with clear, actionable steps.

Turn Cyber Risks into Business Consequences

Boards understand business implications, not technical jargon. When discussing cyber risks, it's crucial to frame them in terms of dollars, operational disruptions, and strategic setbacks. By aligning your presentation with the board's priorities, you can transform raw risk data into clear, actionable business insights.

"The boardroom energy shifts when I start translating cybersecurity risks into financial terms. Suddenly, data breaches [aren't] abstract - they [are] million-dollar risks."

• Geoff Hancock, CEO at Access Point Technology ^[5]

Make it clear how cyber threats directly threaten the organization's ability to achieve its mission. For example, healthcare boards need to see how weak cybersecurity could disrupt patient care, breach compliance standards, or destabilize financial operations.

Calculate What Inaction Costs

Numbers have a way of cutting through the noise. To gain the board's support, present a clear picture of the financial implications of cyber risks. Healthcare breaches now average over $11 million per incident, underscoring the steep cost of doing nothing ^[1].

Operational Disruption Costs: Cyberattacks don't just compromise data - they can grind operations to a halt. On average, disruptions from cyber incidents cost $1.47 million ^[2]. Nearly 70% of healthcare organizations report that these attacks have directly impacted patient care ^[2], leading to delayed procedures, diverted patients, and lost revenue.

Regulatory and Compliance Penalties: Healthcare providers operate under strict regulations like HIPAA and HITECH. In 2023 alone, around 400 hacks exposed the protected health information of 74 million individuals in the U.S. ^[7]. Each breach brings potential fines, legal expenses, and drawn-out regulatory investigations.

Leverage Cyber Risk Quantification (CRQ) models to estimate the potential costs of breaches, identify vulnerabilities, and monitor changes in risk exposure ^[6].

Show Examples from Other Healthcare Organizations

Real-world incidents can make the risks feel tangible, turning abstract threats into measurable consequences.

• Change Healthcare: In February 2024, a ransomware attack disrupted payment processing systems across hospitals and pharmacies nationwide. The company reportedly paid $22 million in Bitcoin ransom ^[8].
• Ascension Health: A ransomware attack in May 2024 caused network disruptions, impacting claims submissions, payment processing, and overall revenue cycle operations. Facility volumes dropped by 8%–12% during May and June 2024 compared to the previous year, delaying or rescheduling numerous medical procedures ^[8].
• California Healthcare Provider: A cyberattack forced the organization to shut down its IT systems, including backups. Staff reverted to manual processes, and nearby hospitals reported a 47.6% increase in median waiting times due to diverted patients. The total losses were estimated at $120 million ^[1].

Patient Safety Consequences: The human toll of cyberattacks adds urgency. A 2024 survey revealed that 56% of organizations experienced delays in procedures or tests due to cybersecurity incidents. Additionally, 53% reported an increase in medical complications, and 28% noted a rise in patient mortality - a 21% jump from the prior year ^[2].

"Boards should understand that cyber risk represents an enterprise risk to the organization and is primarily a risk to patient safety."

• John Riggi, National Advisor for Cybersecurity and Risk, American Hospital Association ^[7]

These examples highlight how cybersecurity breaches can endanger patient care and threaten an organization's stability. When addressing your board, emphasize that 92% of healthcare organizations have faced at least one cyberattack ^[2]. It's no longer a matter of "if" but "when."

Tailor these examples to your organization's specific context. For instance, if your hospital has patient volumes similar to Ascension Health, calculate how an 8%–12% drop could affect your revenue. If your payment systems resemble those of Change Healthcare, estimate the financial impact of nationwide disruptions on your receivables and day-to-day operations.

Build Your Funding Case with Data

When it comes to securing cybersecurity funding, data is your best ally. It transforms abstract cyber risks into actionable business decisions. While 84% of board directors see cyber risk as a business issue, only 29% truly understand cybersecurity, making it essential to translate technical jargon into business-friendly language ^[9]. Alarmingly, only 23% of companies report that their cybersecurity metrics are clearly understood by top executives ^[11].

"Many CISOs have grown up as technologists and are accustomed to speaking very technically. And that's not a bad thing for the right audience, which is usually the cybersecurity or IT team. However, in a boardroom, speaking in a language and utilizing terms that the board will understand is crucial to getting their point across in a meaningful way." - Larry Whiteside ^[10]

To start, benchmark your current cybersecurity standing using industry standards. This helps clarify gaps and sets the stage for your funding case.

Use Industry Standards to Show Gaps

Benchmarking against industry standards gives boards the context they need to evaluate your cybersecurity posture. Without these comparisons, funding requests can feel arbitrary ^[12]. Use publicly available data to show how your organization stacks up against peers.

• Financial Benchmarks: Mature enterprises typically allocate 7% to 15% of their IT budget to cybersecurity ^[12]. If your spending falls short, highlight the gap and explain what additional funding could achieve.
• Assessment Results: Share findings from vulnerability assessments - such as wireless, network, or host evaluations - to translate technical risks into business terms, like potential operational disruptions or compliance issues ^[10].
• Compliance Alignment: Link your funding needs to maintaining compliance with frameworks like HIPAA, HITECH, or other relevant regulations. This approach demonstrates how your requests support broader organizational goals ^[12].

You can also compare your security performance to competitors and industry leaders, helping board members understand acceptable risk levels and the value of additional investments ^[9].

Show Return on Investment

Once you've identified gaps, it's time to demonstrate the value of closing them. Boards need to see how cybersecurity investments translate into measurable business benefits. With 88% of executives agreeing that measuring cyber risk is critical - but only 15% actually quantifying financial impacts ^[13] - clear ROI calculations are essential.

• Cost Avoidance: A strong incident response plan can save $1.49 million compared to the average breach cost of $4.88 million ^[13][15].
• Efficiency Gains: Implementing security AI and automation can lead to savings of $2.2 million in breach costs ^[16].
• Risk Reduction: Use the ROSI formula: (Cost Avoidance – Investment) ÷ Investment ^[14]. This metric directly ties cybersecurity initiatives to their financial benefits.

Frame cybersecurity as a smart investment that supports the organization’s strategic goals. By linking key performance indicators (KPIs) to business outcomes, you can show how improved security contributes to long-term success ^[12].

Use Charts and Dashboards to Show Risk

Visual tools can make complex cybersecurity data more accessible for board members ^[10]. Charts and graphs cut through technical jargon, helping decision-makers focus on key risks and opportunities.

• Risk Heat Maps: Highlight high-risk areas using color-coded visuals to make it clear where immediate attention - and funding - are needed.
• Trend Analysis: Show how your security metrics have improved over time and project future trends based on current versus proposed investments. Metrics like threat detection times, incident response times, and compliance scores provide valuable insights.
• Comparative Dashboards: Present side-by-side comparisons of your organization's performance against industry benchmarks. Include metrics such as vulnerability patch times, training completion rates, and vendor risk scores.
• Financial Impact Charts: Translate technical issues into financial terms. For instance, instead of listing 150 unpatched vulnerabilities, show how they could lead to $2.3 million in potential breach costs based on industry averages.

Regular reporting on these metrics not only builds credibility for future funding requests but also demonstrates accountability for how current resources are being used ^[11]. This transparency strengthens your case and fosters trust with decision-makers.

sbb-itb-535baee

Use Censinet for Healthcare Cyber Risk Management

Healthcare organizations face cybersecurity challenges that go beyond what generic platforms can handle. That’s where Censinet RiskOps™ steps in. Designed specifically for healthcare, it transforms complex security demands into actionable insights for leadership. As Matt Christensen, Sr. Director GRC at Intermountain Health, aptly puts it:

"Healthcare is the most complex industry... You can't just take a tool and apply it to healthcare if it wasn't built specifically for healthcare" ^[18].

This industry-specific approach is vital for tackling unique concerns like patient data protection, medical device security, and compliance. With these tools, organizations can streamline assessments, improve reporting for leadership, and scale their governance efforts effectively.

Speed Up Risk Assessments and Compliance

Traditional risk assessments often drag out, delaying necessary security updates. Censinet RiskOps™ changes the game with its automation and healthcare-focused workflows. Its Digital Risk Catalog™, which includes over 40,000 vendors and products, allows organizations to speed up risk assessments across all third parties throughout their lifecycle ^[17].

One standout feature is Delta-Based Reassessments, which focus only on changes since the last evaluation. This reduces the time needed for reassessments to less than a day on average ^[17]. For compliance, the platform offers guided workflows that align with healthcare-specific requirements like the 405(d) HICP documentation, making internal self-assessments more efficient.

Give Boards Clear Risk Visibility

Boards often struggle to interpret technical cybersecurity data. Censinet RiskOps™ bridges this gap with executive dashboards that translate security metrics into business terms. These dashboards provide real-time insights into overall cyber posture, HICP coverage, and actionable data on overdue tasks, missing evidence, and open risks ^[17]. This clarity helps boards identify funding priorities and track the progress of cybersecurity investments.

Terry Grogan, CISO at Tower Health, shared how this efficiency impacted their team:

"Censinet RiskOps allowed 3 FTEs to go back to their real jobs! Now we do a lot more risk assessments with only 2 FTEs required" ^[18].

By presenting security data in a way that’s easy for decision-makers to understand, the platform empowers boards to make informed decisions about cybersecurity funding and strategy ^[17].

Scale Risk Management with Censinet AITM

Censinet takes risk management a step further with Censinet AITM, a tool that combines artificial intelligence with human oversight to handle larger volumes of assessments without compromising safety standards. Vendors can complete security questionnaires in seconds, while the system summarizes evidence, captures integration details, and identifies fourth-party risks. This "human-in-the-loop" approach ensures that automation supports decision-making rather than replacing it, allowing risk teams to scale their operations while maintaining accountability.

The benefits go beyond efficiency. James Case, VP & CISO at Baptist Health, noted a significant improvement after implementing the system in 2023:

"We eliminated spreadsheets and gained a supportive network of hospitals" ^[18].

Similarly, Brian Sterud, CIO at Faith Regional Health, highlighted how benchmarking against industry standards has helped their organization:

"Benchmarking against industry standards helps us advocate for the right resources and ensures we are leading where it matters" ^[18].

These peer comparisons and collaborative networks not only strengthen cybersecurity efforts but also make a compelling case for board-level investments in security initiatives.

Get Board Approval: Presentation Methods That Work

Securing board approval for cybersecurity funding requires a clear and strategic approach. Your presentation needs to align with the organization's top business priorities and show how cybersecurity risks and solutions tie directly to those objectives.

Organize Presentations for Maximum Impact

Board members value concise, actionable recommendations. To make your case effectively, structure your presentation into three main sections: the current state, progress updates, and future actions. Begin by outlining the most pressing risks that threaten business operations, and then present your proposed solutions in the order of their business impact.

Using a traffic light system can make your presentation even more effective. Highlight risks as green for low, orange for moderate, and red for critical issues requiring immediate attention. Clearly connect funding requests to measurable business outcomes, detailing the resources, budget, and support you need. This method creates a clear visual hierarchy, making it easier for the board to prioritize.

Use Risk Maps to Show Priorities

Visual tools are essential for simplifying complex cybersecurity information. Risk maps, paired with charts, help prioritize what matters most, turning abstract risks into actionable priorities. The quicker you can make risks visible, the faster your team can respond.

For instance, a global company might use a heatmap to show high-risk areas in Europe due to outdated endpoint protection, while U.S. operations appear as low risk ^[19]. Scenario-based visualizations are another powerful tool. Imagine presenting a simulation of a customer data breach affecting 3 million records, resulting in a $4 million fine and a sharp drop in stock price ^[19]. These examples make the need for investment tangible.

"It can be difficult to get - and maintain - the attention of the board when it comes to risk. Sending them multiple pages full of text is unlikely to engage them in a meaningful way when they're already juggling other priorities." – The Risk Leadership Network ^[19]

Focus on a single, high-priority dashboard that addresses a specific issue. Keep the visualization simple and impactful. This strategy not only highlights quick wins but also lays the groundwork for future requests to invest in advanced risk visualization tools. Once priorities are clear, keep board members engaged with consistent updates.

Keep Talking After the Meeting

Getting initial approval is just the start. To maintain board support, you need ongoing communication that shows progress and addresses new threats. Regular updates on your cybersecurity posture - covering new threats, incidents, and responses - keep the board aligned with your goals ^[9][21].

Share key performance indicators (KPIs) like incident response times, detected threats, and compliance metrics. Insights from cybersecurity drills and exercises can also build trust, showing both preparedness and areas for improvement ^[21]. Be available for follow-up questions to reinforce your credibility.

When requesting additional funding, tie your ask to the organization's strategic goals and demonstrate a clear return on investment. With 84% of board directors recognizing cyber risk as a business risk ^[9], regular updates not only boost their confidence in your strategy but also show how your cybersecurity efforts protect and enable the organization to achieve its objectives.

Conclusion: Get Results Through Clear Communication

Securing cybersecurity funding requires ongoing collaboration with the board, built on trust, transparency, and regular updates. Healthcare organizations that succeed in securing necessary investments recognize that an informed board not only asks insightful questions but also actively supports security initiatives that align with the organization’s broader goals, including patient care.

One way to keep cybersecurity top of mind is by scheduling regular discussions on information security during board meetings. This approach ensures the topic remains visible and demonstrates a commitment to accountability. As SBS CyberSecurity explains:

"If the top level of the organization better understands the risks and the impact potential, it will help foster a more robust information security culture throughout the organization" ^[20].

Be proactive in engaging with board members - answer their questions, address concerns, and build credibility. This kind of engagement ensures that cybersecurity updates are seamlessly integrated into the organization’s ongoing risk management strategies.

Tie every security investment directly to protecting patient care. When the board sees a clear connection between cybersecurity spending and safeguarding patient data and outcomes, it becomes easier to justify these expenses as part of the organization’s core mission.

Provide timely updates on incidents or developments that could impact the organization’s risk profile. Use data to highlight both potential risks and the returns on security investments. Jamey Cummings of JM Search highlights the importance of this approach:

"Transparent and regular communication with key internal stakeholders can help avoid any unnecessary surprises in the boardroom" ^[22].

Establish a consistent briefing structure so leadership knows what to expect and can prepare for meaningful discussions. Tools like Censinet RiskOps™ can help streamline this process. With features like data visualization and risk assessment dashboards, platforms like Censinet AITM simplify complex information, allowing you to focus on engaging with the board effectively.

Ultimately, success depends on clearly articulating how cybersecurity safeguards both the organization and its patients. A continuous, transparent dialogue - built on risk assessments and data-driven insights - lays the foundation for meaningful board engagement and informed decision-making.

FAQs

How can I explain the financial impact of cyber risks to board members with different levels of expertise?

To get board members on the same page about cyber risks, it's crucial to turn technical jargon into financial language that ties directly to the organization's goals. Use tangible examples and straightforward metrics to explain the potential impact of a breach - think regulatory fines, lost productivity from downtime, or even the hit to the company's reputation.

Make a case for the return on investment (ROI) of cybersecurity measures by showing how they directly reduce risks and safeguard the business. Keep your points clear and to the point, incorporate visuals like charts or graphs to simplify complex ideas, and adjust your messaging to connect with both the tech-savvy and those less familiar with technical details.

How can I show my board the financial benefits of investing in cybersecurity?

To showcase the financial advantages of investing in cybersecurity, emphasize the measurable benefits. Start with risk reduction - illustrate how proactive measures can prevent expensive breaches, minimize downtime, and avoid regulatory penalties. Incorporate industry benchmarks and real-world examples to compare the potential savings against the high costs of ignoring these risks. Use concrete metrics like cost savings, improved operational performance, or incident prevention statistics to demonstrate clear results. By tying cybersecurity efforts directly to the company’s business goals, you can make a strong case for how these investments contribute to long-term financial stability.

How can real-world examples of cyberattacks help convince the board to invest in cybersecurity?

Sharing real-world examples of cyberattacks on healthcare organizations is a compelling way to show just how devastating inadequate cybersecurity can be. These stories bring to light serious risks like threats to patient safety, interruptions to daily operations, and massive financial setbacks. They make the potential consequences feel much more immediate and relatable, especially for board members.

When you present examples that mirror your organization's specific vulnerabilities, it drives home the need for proactive measures. Highlight how such incidents could directly impact key areas like patient care, compliance with regulations, and the organization's reputation. This helps the board see cybersecurity funding not as a mere cost, but as a critical investment in protecting the organization's future and ensuring its stability.

Related posts

• 5 Challenges in Healthcare Cyber Risk Management
• From Undervalued to Indispensable: How to Elevate ERM in Board-Level Discussions
• Risk Register Optimization: Aligning Cost, Impact, and Likelihood Assessments for Enhanced Security Posture
• “A Playbook for HDOs: Mapping Cybersecurity Frameworks to Real Risk Reduction”