Data breaches happen every day.  So do you have a cybersecurity insurance policy in place?

The real question is, when was the last time you knew your data was lost or stolen … or do you even know?

Now, you can cut your cybersecurity insurance premium by 33% if you have a functional IT Asset Management {ITAM} Program in place based on NIST CSF Framework!  In fact, a certified ITAM Program Manager {CITAM} is the only person in an organization that can confidently report on who, what, when, where, why, and how any or all IT data-bearing devices are being used, or not throughout an operating environment.  The primary responsibility of a CITAM is to effectively manage all of the lifecycle processes, controls, and reporting infrastructure in place.  This goes above & beyond the basic requirements of compliance.  As Dr. Barb says, “if you’re not managing your IT assets, you’re not managing your business!”

Based on the basic premise that data is the lifeblood of an organization, protecting any/all data created, shared, and ultimately destroyed must be documented.  The foundation of data management is dependent on the implementation of lifecycle management policies and procedures.  Beyond electronic intrusions, the physical security of your data-bearing assets is actually the initial source of cyber-attacks.  Consequently, it is mission-critical to have ISO & NIST framework/guidelines as standard operating procedures that are functioning and being reported on a real-time basis. 

According to this recent report produced as in collaboration of Censinet, KLAS, the American Hospital Association, Health-ISAC, and the Healthcare and Public Health Sector Coordinating Council from based on 58 respondents (54 payer or provider organizations and 4 healthcare vendors) who were interviewed September–December 2023, those using NIST CSF as their primary cybersecurity framework report premium increases one-third the percentage reported by non-NIST CSF organizations.  The bottom-line findings from this annual study confirms that implementation & compliance to this framework helps organizations mitigate the impact of breaches on patient care and safety and maintain business continuity all while reducing cybersecurity insurance premiums.

With respect to the status of healthcare cybersecurity preparedness, the effect of enhanced governance and resource investments on cybersecurity preparedness will offer significant reductions in an organization’s standard insurance costs.  In summary, How much does your organization value security?  More directly, how valuable is your IP, customer, and employee privacy?  Ultimately, how much do your investors value your brand, organizational image, and data management capabilities.  This assessment of insider threats and other risks are part of a cost-benefit analysis.  Those that have invested in adoption of NIST CSF have lower year-over-year increases to their cybersecurity insurance premiums that have been escalating.

NIST CSF v2.0 marks a significant step forward for organizations seeking a comprehensive way to manage the evolving cybersecurity landscape. Will you make the investment to evolve your processes & controls from the 2014 original version?  While the core principles remain consistent, version 2.0 introduces important refinements to help businesses align cybersecurity with broader risk management efforts.

So when it comes to data security, how can you qualify & quantify a return on those investments?  Please consider me a resource/reference and don’t hesitate to contact IAITAM to customize an ITAD Solution that will meet/exceed your expectations for a simple, cost-effective bolt on, iron-clad patented EoL/decommissioning process to enhance your data lifecycle management capabilities that will extend the value of NIST CSF.

Spend

Look at your software suppliers, and your annual spend for each.  Spending a lot of money with one vendor is by no means a guarantee that a determined compliance position will be the most valuable, but it is a great start.  Without a crystal ball, we are doing our best to anticipate which vendor will be the most valuable to have compliance positions for.  A decision on which vendor to start with is going to include multiple considerations.  In general, the higher the spend, the more we have to gain by having compliance nailed down.

“Compelling Dates”

Consider upcoming important dates related to your suppliers.  If a contract renewal is coming up, or there is a true-up requirement down the line, knowing our compliance position is valuable.  We can more confidently negotiate knowing we are in compliance, and knowing exactly how much of a product we need.  If our renewal goes sideways, or the vendor is unhappy with us lowering our spend, we can be confident that we are ready for an audit that may be triggered.

Risky License Types

Some license types are more risky than others.  Some risky ones could include; indirect access, named users, or processor based licenses in the virtual space.  Indirect access licenses could quickly multiply the number of licenses needed if we have customers or employees accessing data that is served up on kiosks or websites.  Suddenly, the one-hundred licenses we purchased for the team, is not nearly enough for the entire company that is also accessing the data, in an indirect way.  Named user license can often be neglected because they are a lot of work to manage down to the specific user level.  Should an audit come, all of our misassigned named user licenses may become “shelf-ware.”  The scaled-up nature of our server space can allow compliance issues to multiple out of control, and end up being an audit risk beyond even the figures that we are currently paying.  That is, we may spend one million a year for a particular vendor, only to have ten million in risk in our server space.

Aggressive Vendors

Casually asking around at ACE or in IMUGs can be a great way to learn which publishers are auditing more frequently.  When you see some news come across your feed about a vendor auditing, when you hear from peers about their experiences with particular vendors, incorporate that knowledge into your prioritization.  Ask around.  Know that there isn’t a magic formula to know who will audit next, but if a vendor is known for being aggressive, and doing lots of audits, it becomes more valuable to be prepared.

Reducing Spend

If you will be reducing spend with a vendor, that can become an audit risk.  From the publisher’s perspective, if they think you are going to be continually lowering spend, or leaving them all together.  Why not audit to try to capture some revenue in the chaos, and before you are gone all together?

Level of Effort

In reality, once you start determining a compliance position for a group of products or a vendor, it may end up being more than we bargained for.  As we prioritize our vendors, consider the level of effort to determine compliance.  In some cases, we may need to purchase an entirely new tool to get to the level of details we need.  If the level of effort is very high for a vendor in which we otherwise don’t have much risk with, it may not make the cut for our “Top 10” publishers.

Bringing It All Together

Determining compliance for thousands of products “over-night” will almost certainly be too much to manage.  Let’s start with the vendors and products that have the highest chance of helping our program build momentum.  If we can do our “Top 10” then we will have lessons that we can apply going forward with our remaining vendors.  We will have a proven track record of being able to generate value when we determine compliance, and ultimately be able to get even more support from executives and finance as we aim to determine compliance for our “Top 50” or “Top 100.”  Sit down, consider the aspects above, apply scores/weights, be scientific, and rest easy knowing that you are working on the most important vendors/products for your company, based on the information that is available at the time.  When the next audit comes, you will be glad you did!