Editor’s note: This article draws on insights from an Aug. 12 CIO Dive and Cybersecurity Dive live virtual event. You can watch the sessions on-demand.
Tech executives and cyber leaders may view the enterprise IT estate through different lenses, but the two functions share a focus on enterprise security. While CIOs seek to drive digital transformation by modernizing the tech stack, CISOs are inherently leery of technologies that could weaken an organization’s defenses.
“We love our metrics, and we give all these digits and dials that no one else understands,” James Bowie, CISO at Tampa General Hospital, said during a CIO Dive panel earlier this month. “It can look bad, but you have to sit there and explain, ‘Well, it's okay that we have this many alerts, just because you're watching more things' and spending a lot of time diverting resources and energy … to explaining why the numbers look the way they do.”
Instead of using metrics to overwhelm the hospital’s leadership team or — worse yet — obfuscate cyber concerns, Bowie teamed up with Tampa General CIO Scott Arnold to quantify technology risk in terms that hit home with C-suite executives.
When business operations clash with security imperatives amid a push toward innovation, businesses risk opening the “gateways to cyber hell,” Arnold said, during the panel. “At the end of the day, the risk that we take as a management decision, we make that together. As we report out to the board of directors, and I put Jim out there in front of the board of directors, he can quantify that in terms that everybody understands.”
CIOs and CISOs grapple with cyber risks and the consequences of even a minor security lapse across sectors and industries. In healthcare, the stakes are particularly high.
The sector suffered the biggest financial hit from security breaches for the 14th consecutive year in 2024, according to IBM’s annual Cost of a Data Breach report, published last month. The average cost of an incident in healthcare was $7.42 million, compared to $4.44 million for all organizations globally. Healthcare breaches also took 279 days to identify and contain, which was more than five weeks longer than the global average, IBM found.
The numbers matter, when properly framed.
“The best way to manage security risk is to quantify it and explain the ramifications so that it’s not just the CIO and CISO who are making the final calls,” Bowie said. “Everybody in enterprise and business operations … understands financial impacts.”
To drive home the potential costs, Bowie brought analytics to bear on IT and process decisions, using data to put a number on the risks posed by each addition to the hospital’s tech stack.
“The process that he and his team put in place, frankly, has been transformational with not only our C-suite, but also our board of directors. It puts the type of risk for certain things into a perspective that everyone understands,” said Arnold.
The threat landscape
Healthcare faces many of the same cyber concerns as other sectors. Weaknesses in legacy systems coupled with vendor-related vulnerabilities and a lack of security awareness create clusters of pain points for CIOs and their CISO colleagues.
“We have a wide net of legacy systems,” Bowie said. “We have a bunch of equipment that can't be upgraded because they have to go through an entire certification process with the FDA.”
At a research hospital like Tampa General, data security also has an added layer of complexity.
“It's not different from any other industry that has to secure its corporate [intellectual property] … but what does make us a little different is sometimes we have to be a little liberal on the research side of things,” Arnold said. “Sometimes you don't necessarily have custody or a line of sight into the custody of data — it's an extra wrinkle that we have to deal with.”
While malicious insider attacks resulted in the costliest breaches among initial threat vectors last year, third-party vendor and supply chain issues ranked second, according to IBM’s analysis.
The only major disagreement about a security-related purchase at Tampa General Bowie recalled was over a vendor selection.
“It was a vendor that was legitimately under ransomware attack at the time,” said Bowie. “I was like: 'This is not the time to sign a contract with that vendor … let’s hold off on that.'”
The incident highlighted the proactive role a CISO can play when given the opportunity.
“You can bring down an enterprise with the wrong technology stack from a third-party vendor, especially in healthcare,” Bowie said. “If you get in front of it, and you're part of the contract process … you can put your IT security controls or your standards in the contract language that they will have to abide by, and then you eliminate a lot of that third party risk.”
To make sure Bowie’s perspective resonates, Arnold makes sure he has an audience with the hospital’s leadership team every several months, the executives said.
“It's not a subordinate relationship,” Arnold said. “We might be set up that way on paper and, believe me, I'll take the hit if something bad happens … but honestly, it's a partnership.”
The close CIO-CISO partnership propelled growth for the medical center, according to Arnold.
“We've been able to grow our organization almost 300% over the last six years, which is billions of dollars,” Arnold said. “ You just have to find somebody you can communicate with, you can be flexible with, and that you have a personality match with.”
