Security breaches have become a daily fact of digital life, prompting some companies like insurance giant Aetna Inc. to approach cybersecurity as just one more business risk that needs to be managed, much as they approach fluctuating currency prices or the threat of lawsuits.
It’s a departure from a traditional mindset, in which cybersecurity is viewed primarily as a tech problem that needs to be fixed. Each day, Aetna Chief Information Security Officer Jim Routh looks at the cybersecurity threats facing the health insurer and how they’ve changed in the last 24 hours. He also looks at changes in Aetna’s ecosystem. He translates that information into a daily risk score and distributes it to company leaders. Understanding that risk is essential to making long and short term decisions on the allocation of scarce resources to the highest risks, he said.
“We’re transparent about the risks to pretty much anyone inside the company because knowing the risk is the first step towards mitigating and managing that risk long term,” Mr. Routh told CIO Journal.
He shares an understanding of that risk throughout the business, which helps the company respond quickly to shifting threats, and make informed decisions about where to devote staff efforts or invest money in strengthening defenses. Expecting technology to magically fix cybersecurity problems is just as unrealistic as buying a financial system and expecting to no longer worry about financial management, said Kennet Westby, president of Coalfire Systems Inc., a cyberrisk advisory firm. “This is not a problem you can solve, but it’s a problem you can manage,” said Mr. Westby.
Mr. Routh and his team look at threat information from thousands of sources. Aetna subscribes to three threat intelligence services and is a member of two information sharing and analysis centers for financial services and health care. At a 4:00 p.m. meeting each day, his team meets to talk about new security threats and to interpret what it means for Aetna’s risk. The tool Mr. Routh uses is a simple spreadsheet that looks at various categories of security controls within the company.
For example, one category is called Inside Out Controls and there are dozens of examples of these controls. This category looks at controls for data leaving the company along with behavioral information on the usage of Web services, mobile applications, Secure File Transfer Protocol and email. This may include tools like behavioral analysis software to analyze whether bad actors are trying to take information out of the company’s network. Another example of an Inside Out Control is that Aetna, like many companies, can see and control which cloud services employees use. “We have a risk profile for each cloud service,” said Mr. Routh. The company blocks access to high-risk sites preventing exposure of its data, he said. So if a popular cloud service employees use experiences a major data breach then the risk profile for that cloud service would increase.
“We rank every single threat every single day,” said Mr. Routh. “Because we measure every day, we know what it is and when it changes,” he added. He uses daily information to reassess the ranking of top risks to the enterprise.
For example, news surfaced starting in late January that a nationalist Turkish hacker group had started attacking political targets, like the website of the government of Ghana and other political targets. That was a change that caught Mr. Routh’s attention because he hadn’t seen these kinds of attacks come from Turkey, he said. There have also been news reports that Chinese nation-state hackers are suspected of targeting health-care information, he said.
Mr. Routh has been ranking cyber risks for 12 years – the last two at Aetna – and he said he didn’t previously worry about nation state hackers. “That’s all changed and now we monitor nation states – it’s one of our biggest threats today,” he said.
When threats spike in a certain area – like the attack on Sony Pictures Entertainment – Mr. Routh looks at all the remediation projects he’s got underway to see if any of them need to be reprioritized. For example, Aetna made revisions to its data recovery practices based on the destructive malware used against Sony. Mr. Routh’s list of remediation projects is prioritized according to risk with the ones at the top of the list getting the best resources and the ones at the bottom getting little or no resources.
Most companies evaluate cybersecurity risk on a quarterly basis and more are starting to do it monthly, said Mr. Westby. He doesn’t know any that do it daily like Aetna.
Ranking threats every single day may not be the best move for every company, say experts. In fact, many companies may not have the resources or the team that can actually translate those threats into actionable intelligence. Doing the basics of cybersecurity such as deploying intrusion prevention systems, anti-virus software and passive defenses such as firewalls should be the first priority, said Robert M. Lee, a co-founder at industrial control systems security firm Dragos Security LLC and an active-duty U.S. Air Force cyberspace operations officer.
“I can have all the best threat intelligence in the world and figure out how to leverage it but if I have unpatched systems then I’m wasting my time,” he said.
Mr. Routh estimates that about 70% of security controls represent good IT hygiene such as server configuration management, patch management, incident response, security monitoring, network perimeter monitoring and building security controls into software as its being developed. Yet, those basics don’t address emerging technology and the evolution of threats, he said.
Also, CEOs and boards may be surprised to find that even though they’ve increased the cybersecurity budget by millions of dollars that the risk has also increased, said Anton Chuvakin, a research vice president covering security and risk at research firm Gartner Inc. That’s because the risk for the overall industry may have increased as more attackers target the sector. “There is no magic button to spend money to lower risk,” said Dr. Chuvakin.
He notes that after a breach, one health-care CISO received a major budget increase and was told to take care of risk. That CISO has budget left over because he needs to hire people and there’s nobody to hire because of a scarcity of talent.
At Pacific Gas & Electric Co., former CISO James W. Sample faced the issue of risk remaining high to the industry even as the company spent money to improve its cybersecurity capabilities. He started to chart the company’s security capabilities and how it was improving relative to that risk so company leaders and the board could measure progress, he told CIO Journal.
Date: March 30, 2015