Improving Security Posture with Integrated Risk Management (IRM): 6 Vital Takeaways from Our Webinar

With the growing complexity of risk assessments and changing healthcare compliance regulations, IT and Security leaders are looking for a new approach that acknowledges the true business impact of cyber threats within healthcare organizations – and our recent webinar explored integrated risk management (IRM) as a perfect way of achieving this. 

IRM helps organizations create a unified view of their cybersecurity vulnerabilities and involve multiple departments and stakeholders in the remediation process. Intraprise Health CSO Scott Mattila was joined by Devin Shirley – CISO of Arkansas BlueCross BlueShield – to explore how IRM can help healthcare entities improve their security posture in a complex, evolving landscape and what they should do to achieve buy-in around it. 

Below are the six key takeaways from their discussion: 

1. Accountability is the Key to Unified Risk 

Integrated risk management (IRM) requires collaboration between multiple stakeholders, but many healthcare CSOs and CISOs struggle to generate buy-in. Our speakers suggested a surprising solution: make more parties accountable for cyber risk. 

“There’s going to have to be a mindset shift,” Devin explained. “Sure, there might be someone at the top who’s ultimately responsible. But everybody has a part to play, and if you get people to take ownership, they will want to collaborate to understand risk.”  

However, many stakeholders will not be used to taking accountability for cyber risk – which is why Devin emphasizes the role of data in building collaborations. He recommends using clear metrics to measure individuals’ responsibilities and creating easily accessible dashboards where these can be viewed. 

The results are more than worth it. As Devin says: “By building collaborative relationships, cybersecurity becomes a revenue multiplier – not a cost multiplier” 

2. Processes Are More Important Than Tools 

Healthcare cybersecurity has seen a “tool rush” in recent years, with innovative products presented as the definitive solution to risk. But when Scott asked Devin about the role of tools, he cut through some of this noise. 

“You can have all the tools in the world giving you the best data,” Devin said. “But if you don’t have a process for reviewing, evaluating and taking action it, then you’re wasting your time.” In fact, he believes that the best and most valuable tools are the ones that help refine your processes 

3. Culture Change is a Product of Process 

Building a culture of collaboration and awareness is foundational to an effective IRM model – and many CSOs argue for a “bottom-up” approach to culture that ensures the change is organic. But our speakers revealed another approach, which is allowing culture to adapt to your processes. 

“If you follow a framework, you will see a change in the culture,” Devin argues. “There’s something about an organized framework that directs and focuses people.”  

Simply put, the right process will build a culture that supports it. But this raises question: what if people don’t see the point in the framework? 

4. Audits Are Essential to Gain Buy-In 

Cybersecurity professionals often fear audit compliance will get in the way of their real job – which is to protect and defend the organization from cyber threats. But Devin sees these two factors as inextricably linked – especially when it comes to achieving buy-in for an integrated risk model.  

“Nobody wants more audits,” he admits. “But audit compliance helps you achieve the standards you want to protect and defend your org.” Without the pressure of audit compliance – and a regulatory framework to comply with – action will be slower and buy-in for remediation or change harder to come by.  

“Do we have to do this?” stakeholders might ask – and audits allow you to respond with an authoritative yes. 

5. Third-Party Risk Requires External Partnership 

Given its growing prominence in healthcare cybersecurity, third-party vendor risk was a key topic. Our speakers noted the importance not just of specialized third-party risk management processes, but also of utilizing external partners to assess and manage the threats. 

“You need that external component,” Devin said. “Because they might think a little different, and they’re seeing things you can’t see.” This is especially true because supply chains have been so turbulent in recent years, and many organizations have been forced to make fast changes without the necessary protections in place. 

6. Collaboration is the Key to Sustaining Momentum 

By the time we came to the Q&A section, Devin had offered a wide range of insights and actionable tips to make integrated risk management a reality. But there remained a problem: how do you maintain the momentum required to ensure these initiatives last? 

Devins answer was simple: by creating real cross-functional relationships. Teams in HR or Finance might get excited in the short-term about the value of improved cyber risk management, but that enthusiasm will inevitably wane. Rather than denying that fact, Devin’s solution is to keep the benefits fresh in stakeholders’ minds. 

How can you do that? By making the effort to really understand what each stakeholder needs, and making regular gestures and trade-offs that help them see the value of collaboration. Devin frames this as a negotiation – a process of perspective taking. “I create value for you, and you create value for me,” he describes. And that is a perfect summation of much of the advice here: integrated risk management may be better thought of not as a destination, but an approach and a set of ideals. 

Want to Explore How IRM Could Improve Your Cybersecurity Posture? 

Book a Consultation 


About the Author
Avatar photo

Scott Mattila, CSO, Intraprise Health

Scott Mattila is the Chief Security Officer at Intraprise Health. He has held leadership positions at some of the country’s most prestigious institutions, and is currently an adjunct professor and serves on the Dean's advisory board at Duquesne University's Rangos School of Health Science.