HITRUST Business Case Example document for hitrust
cjssv1
13 views
10 slides
Apr 25, 2024
Slide 1 of 10
1
2
3
4
5
6
7
8
9
10
About This Presentation
very good docuemnt fo rthe
Slide Content
risk 3 sixty Business Case Example [Template]
HITRUST Business Case Example [ Template ]
risk 3 sixty Bottom Line Up Front Executive Problem Statement: Due to client and market expectations, contractual requirements, competitive pressure, and existing third-party due diligence requirements from partners, ACME Company must obtain a HITRUST Certification within the next 12 months. In the absence of a HITRUST certification, ACME will be in breach of contracts, be uncompetitive in the marketplace, and be unable to respond to third-party security questionnaires quickly enough to support the sales organization. Ask from Leadership: Approval and resources to build a HITRUST program and obtain a HITRUST Validated Certification within 12 months. Expected Benefits: 4-10x return on investment (see slide 4) Enable sales and healthcare partner relationship management Shorten the sales cycle during the due diligence phase Reduce company risk (e.g., security breach, customer contracts, ongoing compliance)
risk 3 sixty Why We Need This We are contractually required to have a HITRUST certification but do not currently have one We do not have the resources to respond to customer security questionnaires on a timely basis. (currently 14 days behind SLAs) – Supports $10M ARR We are increasingly being asked by prospects about our security program, and we don’t have a third-party assurance mechanism to share with them; our competitors do We don’t have good security policies and procedures that are shared and understood across the company, nor do we have a set of security controls with control owners Problem Desired Future State Obtain a HITRUST e1 in short order and be on a glide path to obtain a HITRUST i1 later this year Push back on customer security questionnaires and instead provide our HITRUST Certification Work with Sales and Marketing to lead with a strong security story and highlight what we do to keep our customers’ data protected; provide a HITRUST e1 or HITRUST i1 certification as appropriate Have a harmonized set of security policies, a security control set that reflects what we are doing, and assign controls owners in our GRC platform
risk 3 sixty Resources Salary + Benefits: $300,000 (Sec. Leader + Analyst) Service Provider Fees (HITRUST Assessor, GRC Platform): $55,000 – $85,000 HITRUST Alliance Fees: $15,000-$25,000 Total Cost to the business: $390,000 per year Costs Benefit 4-10x return on investment (cost vs. potential upside) Faster Sales Cycle (50% faster due diligence) Better “Sales Story” to communicate to prospects Reduced Corporate Risk Security Breach, contractual compliance, regulatory compliance Reduced Total Cost Return on Investment Cost $390,000 Total Program Cost Upside Opportunity: $750k: Assume we close five additional deals with banking clients due to demonstrating a better security posture $150k: Assume we reduce the sales cycle by 30 days (faster cash conversion cycle) due to better due diligence efficiency $250k: Assume we maintain 2x clients for an additional year (reduced client churn) due to better security posture 500 hours – Assume we save various members of management, sales, and engineering from participating in security questionnaires Business Case: Cost vs. Benefit Analysis Note: Validation of the below assertions available in appendix
risk 3 sixty Appendix I: Assertion Validation 1) How do we know the cost of a security resource? Cost of security resource validated via market validation survey provided by Human Resources ( Survey link here ) 2) Do we really need an additional resource, or can we handle the workload with current staff? No, based on our current workload we have at least 2000 hours of project work. ( Link to staffing plan ) 3) Are we really at risk of losing clients over security? Yes. Last year we lost 2 existing clients and 1 potential opportunity due to unsatisfactory client audit results. ($600k in annual revenue) This was confirmed by the Chief Revenue Officer. 4) Will we really reduce the sales cycle? Yes, the average sales cycle with our banking clients is 120 days. 60 days is security diligence and contract review. The CRO confirmed expedited diligence would save 20-30 days. 5) Will we really save 500 hours from operations personnel? Yes, based on our lessons learned survey from prior year personnel from HR, engineering, and customer support spent 1053 hours on security and audit activity. ( Link to survey here ) 6) Do we really have significant security risk exposure? Yes, according to the risk assessment performed by an outside security firm (risk3sixty) we have 12 gaps deemed serious. ( Link to report here )
risk 3 sixty Appendix II: Timeline for HITRUST e1 Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec Planning Readiness Assessment Resolve all Gaps Milestone HITRUST e1 Assessment HITRUST e1 Validated Report Remediated controls must operate for 90 days (if no Gaps, timeline can be reduced) Milestone
risk 3 sixty Appendix II: Timeline for HITRUST i1 Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec Planning Readiness Assessment Resolve all Gaps Milestone Milestone HITRUST i1 Assessment HITRUST i1 Validated Report Remediated controls must operate for 90 days (if no Gaps, timeline can be reduced)
risk 3 sixty Appendix III: Other Stakeholders Impacted Stakeholders Description of Impact Estimated Impact (Hours) Security/GRC Information Technology Engineering Legal HR C-Suite/Executives
risk 3 sixty Appendix IV: Stakeholder Sentiments Strongly Against Neutral Against Strongly Support Support John Alford Sue Campbell William Lopez Donna White Strongly Against Neutral Against Strongly Support Support Strongly Against Neutral Against Strongly Support Support Strongly Against Neutral Against Strongly Support Support
Tags
Download
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 13
- Slides 10
- Age 587 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
31 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
31 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views