2 Minute Drill: Protecting Revenue from Cyber Attacks - The CFO-CISO Partnership with Drex DeFord
Apple Podcasts
Questions Answered in This Episode
- Why is resilience becoming more important than preventing breaches entirely?
- How do cyber incidents today differ from the technical problems of yesterday?
- What happens to your organization's revenue when systems go down tomorrow?
- Why should your CFO and CISO be closest allies, not distant departments?
- Can security stop being a cost center and become a revenue protector?
About This Episode
At a recent 229 CISO Summit, healthcare security leaders revealed a critical shift in how success is measured. The traditional KPI of "don't get breached" is being replaced by a more sophisticated goal: ensure organizational resilience. Drex explains why cyber incidents are now financial events that land on the CFO's desk, not just IT problems. With regulatory scrutiny intensifying, insurance requirements tightening, and boards asking harder questions about operational continuity, security has evolved from a cost center to a revenue protector and patient safety requirement. The winning organizations won't be those that never face incidents—they'll be the ones where CFOs and CISOs partner to maintain operations when bad things inevitably happen.
Remember, Stay a Little Paranoid
Donate: Alex’s Lemonade Stand: Foundation for Childhood Cancer
Transcript
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong. Hey everyone. I'm Drex and this is the two minute drill. It's great to see you today. Here's some stuff you might wanna know about. I was at a 2 29 CISO Summit this past week with about 15 execs in the room, and at one point we asked a really simple question, what's the single most important KPI for a ciso? And the answer came back kind of fast. Don't get breached. Fair enough. That's been the bar for a long time, but as the conversation went on, something more interesting kind of surfaced because not getting breached isn't actually the goal anymore, ensuring resilience. Is the new goal. Now, why is that? Well, cyber incidents used to be technical problems. Today, though more than ever, they're financial events. One breach can trigger disclosure obligations and regulatory scrutiny from both the state and the feds and entrance fights, and a long-term hit, obviously to valuation and trust. And that's when the problem moves out of the IT department, out of the security department and lands squarely on the CFO's desk. Boards aren't asking what security tools did we buy? Boards are asking what happens to revenue and operations and confidence and our patients and families if systems go down tomorrow. That's not a cyber question, that's a finance question. And regulators are watching more closely, and insurers are demanding proof of modern controls before they'll write policies. And donors are asking a lot more questions than ever before, before they write a check. And communities are paying attention to not just whether an organization was hit, but how well it absorbed the impact and how well it kept operating. Which brings me back to that KPI breaches are inevitable. Outages happen, people click things. Third parties who are critical to clinical and business workflow, um, wind up failing and failing us. But resilience is what determines whether a cyber incident becomes a footnote or a financial crisis. Resilience is now clearly part of financial stewardship. CFOs. If one of your closest allies isn't your ciso, you're ignoring an internal partner who can help you be successful. Security isn't a cost center anymore. It's a revenue protector. It's a patient safety requirement, and the organizations that win won't be the ones that demand no breach as the KPI. It'll be the ones where the CFO and the CISO execute a plan to keep operations running smoothly even when bad things happen. You can read more on that story and a lot of other stories on healthcare tech and digital innovation and security news at this week. health.com/news. And don't forget, we're the end of the week. I publish a written version of this show. It's called The Two Minute Drill Extra. It's for people who would rather read their podcasts. It's a collection of all the week's hottest stories and a transcript of this show. I'll put a link in the comments section for all the extra newsletters. I hope you'll check them out. And that's it for today's two minute drill. Thanks for being here. Stay a little paranoid and I will see you around campus.
