Building a World Class Security Program

A client came to us with a pretty serious problem. They did not have an existing security program or security team in place, and realized that they had experienced a breach.

After remediating and addressing the acute breach factors, it was decided that a security program needed to be rapidly put into place. Not only did this need to satisfy auditors/regulators, but it also had to be practical, comprehensive, and cost-effective in the long-term, ensuring that all major risks were both accounted for and addressed.

This was no small task, even for a healthcare services firm like ours. How do you begin to boil an ocean? Where do you even start?

How do you ensure that you are asking for the right investments in security? How do you prove your security investments are appropriate and are of value to your shareholders, auditors, and regulators? And most importantly, how can you know for certain that you are doing the right things to protect your system?


Even in the aftermath of a breach, there still isn’t an “unlimited” budget for security. So, when you are starting from a point of immaturity, what is your first order of business?

A post-breach culture scrutinizes and questions every move, investment, and action. Because of this, there needed to be an empirical model established. We had to ensure that a complete enterprise risk profile was accurate, relevant, and actionable.

How do you address the mandate of auditors and regulators for security controls, while also proving empirically that every major risk is accounted for? Keep in mind that you will need to ensure that any new risk would be quickly assessed, incorporated, and prioritized for implementation. And then, after all of that, how do you apply your approach to an enterprise that spans multiple states and business locations?

It was a challenge, but Health Lyrics was up for it.

Our Approach & Methodology

Speed, comprehensiveness, and measurable value were the three key tenets of our approach.

We first had to create a full mapping of the enterprise, both from a business decomposition as well as from a technological and process-centered perspective. With this agreed-upon mapping, it was imperative for us to facilitate a comprehensive risk inventory of each pillar of security.

No risk was too small to matter.

Now that we had a complete risk inventory, we then needed to first rank each risk in order of priority. Then, we had to empirically prove each high risk to ensure it was appropriate.

When all risks across the enterprise were identified, ranked, and empirically proven, we used this data to establish our roadmap to build out the program. Those risks that were identified and quantified as “high risk,” or critical, received investment priority. Where the investment requirement surpassed our budget, we were able to get board-level risk acceptance with approved mitigation strategies.

Success & Value Realized

There were a number of specific approaches that enabled our success on this security program.

  • Having a comprehensive approach to a full risk inventory helped focus all efforts on the immediately high risks, with the best risk return on investments.
  • Being truly successful would require multiple years, but knowing and prioritizing our first steps gave the client and the staff the focus it needed to succeed long-term.
  • We were able to map overall value to the maturity model in any process or technology. By focusing on maturity in an area, the client could precisely establish how good they needed to be, instead of chasing a hypothetical value.

Lessons Learned

Along the way, we recognized a few factors.

  • By being able to empirically support the highest risks, we were able to address auditors’ and regulators’ concerns on approach and methodology
  • Using a well-defined program allowed the client to take any newly-identified risk and compare it to our current risks for prioritization. Without this, every vendor/auditor would have kept emphasizing their own new concern, and we’d continue to chase squirrels without truly knowing where we should direct our efforts first.
  • Sometimes, risks that we initially thought were high did not prove themselves to be so, once supporting metrics were introduced.
  • Laying out all risks and plans comprehensively allowed us, and the client, to really understand the investment, the journey, and value to building out a world-class security program.

Partner with an Experienced and Reliable Firm​

Enter Your Details and We'll be in touch to discuss your project.
You can reach at directly.