• United States




Aetna CISO talks about threat intelligence and enterprise risk management

Mar 23, 20164 mins
ComplianceCSO and CISOData and Information Security

The growth of ISACs will continue as more companies learn that mature cyber security programs all share information to make their enterprises more resilient.

Jim Routh is the chairman of the National Health ISAC and a board member of the FS-ISAC. He was formerly the global head of application & mobile security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express and has over 30 years of experience in information technology and information security as a practitioner. He is the Information Security Executive of the Year winner for the Northeast in 2009 and the Information Security Executive of the Year in 2014 in North America for Healthcare.

What does the future hold for threat information and collaboration entities like NH-ISAC?

ISACs are essential for information sharing and they will continue to mature capabilities for information sharing that takes place largely through trusted relationships. ISACs are core for enabling colleagues to establish and build relationships. The growth of ISACs will continue as more companies learn that mature cyber security programs all share information to make their enterprises more resilient. ISACs are not ISAOs. ISACs are owned by the members, they operate for the members and the products and services provided serve the members. ISAOs have a mission to grow and contribute to profit through membership that benefit the principals. 

What is your view on the maturity of risk management today and where does it need to be 10 years down the road?

Enterprise risk management today has significant upside to improve maturity in the next 10 years. Enterprise risk management programs today capture a diverse set of risks but they are typically not designed for senior executives to make tangible decisions on allocation of resources to the top operational risks. Risk awareness is useful but risk management requires decisions on the allocation of scarce resources to the highest risk activities and enterprise risk management discipline will evolve to be more mature in the years ahead and become a more vital tool for the CEO. 

[ MORE Q&As Deloitte’s Global CISO: authentication to become behavior based ]

What are the key components of a third party vendor management program with regard to information assurance and risk?

Third party governance programs must evolve to offer more continuous methods for risk assessment and management vs. one and done annual on-site assessments. More and more services are offered through cloud providers that host sensitive information and determining online vulnerabilities on a 24 x 7 basis will become more of the norm for any enterprise interested in managing third-party risk. The other fundamental change in third-party risk is a migration from compliance driven assessments (compliance to a standard) to a risk-driven assessment where risks are identified and managed. Adherence to a standard or framework based on standard practices is better than nothing but not sufficient to manage risk effectively given the evolution of cloud computing. 

How do we address the global shortage of information security skills?

Investing in programs (like the NSA is doing) in getting young students in grade school interested in cyber security through gaming programs is essential for the long term evolution of cyber security talent. Gamers make great cyber security professionals. Enterprises will have an easier time attracting scarce talent if they taught techniques over tools in cyber security. Techniques can be game-changers for the adversary and improve cyber resiliency of any organization. Learning innovative techniques improve the opportunities and choices for cyber talent in the marketplace. Our organization has no difficulty finding top talent with a passion to learn largely because we teach innovative cyber security techniques to all our professionals. 

A question you yourself would like to be asked…

The most important goal for any healthcare industry cyber security professional is to differentiate between a risk-driven program and a compliance-driven program. Compliance to a standard is a good thing but entirely insufficient to block attacks from sophisticated adversaries. That requires a cyber program that adjusts controls based on shifts and changes in the tactics of adversaries and evolution of the cyber threat landscape. These adjustments in controls mean the difference between resilient or not. Adjusting cyber security controls today is the new normal and adherence to standards alone is not enough.


Over twenty years of experience as an information security professional, serving in executive and senior management positions, in the US and the UK. My responsibilities have included the development and implementation of global information systems security management programs aligned with NIST CSF, ISO 27001:2013, elements of the NIST 800 series and HIPAA/HITECH. Also, I have created new corporate risk programs including the formation of a board level Risk Committee. Implemented new vendor management programs to track the compliance state of our key vendors and data holders with HIPAA/HITECH and PCI DSS. Completed the requirements, testing and installation of a state of the art security information and event management (SIEM) platform with IBM’s QRadar and ArcSight. Also, completed the requirements, testing and installation of two vulnerability scanners, IBM's QVM and Nessus. Developed an information security awareness program which included annual training for all staff.

Served as Chairperson of the Communications and Public Relations Project Group of Interpol's European Working Party on Information Technology Crime, as well as advising their Wireless Applications Security Project Group. I am the former, the President of the United Kingdom and Bluegrass chapters of the Information Systems Security Association (ISSA), also editorial advisory board of the ISSA Journal. I have attended numerous courses on cybercrime and white collar crime through both the Kentucky Department of Criminal Justice Training and the National White Collar Crime Center.

It has been my honor to receive an ISSA International Fellow (2015) and the International Information Systems Security Certification Consortium, Inc. (ISC)^2, President's Award for service to the information security community (2002 and 2004, 2009).

Lastly, I hold a Master of Science in Information Security from Royal Holloway, University of London, a former senior instructor for the (ISC)^2 CISSP CBK seminar, MCSE and BS7799 Lead Auditor.

The opinions expressed in this blog are those of Richard Starnes and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.