Aetna CISO talks about threat intelligence and enterprise risk management

The growth of ISACs will continue as more companies learn that mature cyber security programs all share information to make their enterprises more resilient.

james routh

Jim Routh is the chairman of the National Health ISAC and a board member of the FS-ISAC. He was formerly the global head of application & mobile security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express and has over 30 years of experience in information technology and information security as a practitioner. He is the Information Security Executive of the Year winner for the Northeast in 2009 and the Information Security Executive of the Year in 2014 in North America for Healthcare.

What does the future hold for threat information and collaboration entities like NH-ISAC?

ISACs are essential for information sharing and they will continue to mature capabilities for information sharing that takes place largely through trusted relationships. ISACs are core for enabling colleagues to establish and build relationships. The growth of ISACs will continue as more companies learn that mature cyber security programs all share information to make their enterprises more resilient. ISACs are not ISAOs. ISACs are owned by the members, they operate for the members and the products and services provided serve the members. ISAOs have a mission to grow and contribute to profit through membership that benefit the principals. 

What is your view on the maturity of risk management today and where does it need to be 10 years down the road?

Enterprise risk management today has significant upside to improve maturity in the next 10 years. Enterprise risk management programs today capture a diverse set of risks but they are typically not designed for senior executives to make tangible decisions on allocation of resources to the top operational risks. Risk awareness is useful but risk management requires decisions on the allocation of scarce resources to the highest risk activities and enterprise risk management discipline will evolve to be more mature in the years ahead and become a more vital tool for the CEO. 

[ MORE Q&As Deloitte's Global CISO: authentication to become behavior based ]

What are the key components of a third party vendor management program with regard to information assurance and risk?

Third party governance programs must evolve to offer more continuous methods for risk assessment and management vs. one and done annual on-site assessments. More and more services are offered through cloud providers that host sensitive information and determining online vulnerabilities on a 24 x 7 basis will become more of the norm for any enterprise interested in managing third-party risk. The other fundamental change in third-party risk is a migration from compliance driven assessments (compliance to a standard) to a risk-driven assessment where risks are identified and managed. Adherence to a standard or framework based on standard practices is better than nothing but not sufficient to manage risk effectively given the evolution of cloud computing. 

How do we address the global shortage of information security skills?

Investing in programs (like the NSA is doing) in getting young students in grade school interested in cyber security through gaming programs is essential for the long term evolution of cyber security talent. Gamers make great cyber security professionals. Enterprises will have an easier time attracting scarce talent if they taught techniques over tools in cyber security. Techniques can be game-changers for the adversary and improve cyber resiliency of any organization. Learning innovative techniques improve the opportunities and choices for cyber talent in the marketplace. Our organization has no difficulty finding top talent with a passion to learn largely because we teach innovative cyber security techniques to all our professionals. 

A question you yourself would like to be asked…

The most important goal for any healthcare industry cyber security professional is to differentiate between a risk-driven program and a compliance-driven program. Compliance to a standard is a good thing but entirely insufficient to block attacks from sophisticated adversaries. That requires a cyber program that adjusts controls based on shifts and changes in the tactics of adversaries and evolution of the cyber threat landscape. These adjustments in controls mean the difference between resilient or not. Adjusting cyber security controls today is the new normal and adherence to standards alone is not enough.

Copyright © 2016 IDG Communications, Inc.

22 cybersecurity myths organizations need to stop believing in 2022