CISOs say the best IT security programs build risk management into everything.
CISOs say the best IT security programs build risk management into everything.

For Cris Ewell, CISO at Seattle Children's Hospital – a nonprofit pediatric hospital, academic medical center and research institute – risk management stands at the center of a mature information security program.

“We assess risk every day,” he says. “And it's not something that we do once and we're done. It's integrated into everything we do.”

Ewell says assessing risk starts with network scans for vulnerabilities, such as advanced persistent threats, zero-day attacks and other malware. His IT team issues reports on whether the vulnerabilities are exposed to the internal network or if they have access to the internet. He deploys software that assesses risk based on access, time of day and which network is being used, and then his team can assess the risk and focus on which vulnerabilities get fixed first. 

And vulnerability scans are just one aspect of the full program at Seattle Children's Hospital. Along with comprehensive scanning, Ewell's team is constantly adjusting network configurations and tweaking policies and procedures based on the latest security intelligence. 

“There's really no one tool that we work with,” Ewell (left) says. “We use lots of different tools and intelligence sources – ranging from security reports from the FBI, the Department of Homeland Security, and Health and Human Services for medical information, to the HITRUST Alliance and the National Council of ISACs. We use intelligence information that comes from other CISOs as well.”  

Risk management

Brent Conran, CSO, McAfee 

Cris Ewell, CISO, Seattle Children's Hospital 

Jim Routh, CISO, Aetna 

Larry Trittschuh, SVP, threat and vulnerability management, Synchrony Financial

But companies need to adjust controls in response to shifts in the threat landscape, adds Jim Routh, CISO at Aetna, a health insurance company based in Hartford, Conn. He points out that standards are helpful, but not sufficient.

“The most significant health care breaches are the result of phishing of credentials and adjustments to controls for in-bound and outbound phishing attacks,” Routh says. “Our approach is to align investment priorities with the top cyber risks for stakeholders to consider when making financial investments in new programs and emerging technologies.” 

A changing landscape

Just a few years ago, predicting the cost of a breach was a matter of understanding charges – such as third-party support, resources costs, lost productivity, IT/infrastructure response and recovery activities. The list also would typically include the cost of deploying new technologies and controls, plus fraud impact and identity protection services offered to customers, such as credit monitoring. However, given the rising threat landscape and the attention these breaches get in the media today, the real costs are much harder to calculate as they now include several indirect and social costs.

 “Given the wide impact of breaches on business operations, companies are more concerned with the reputational impact of cyber breaches, and their primary focus is client and customer impact and satisfaction,” says Larry Trittschuh, senior vice president, threat and vulnerability management, at Synchrony Financial, a financial institution based in Stamford, Conn. 

Think of the hit on reputation that Target took in the press, which was followed by the embarrassing dismissal of its CEO Gregg Steinhafel and CIO Beth Jacob. Then the Sony incident saw President Obama getting into the fray and the federal government determining that North Korea was responsible.