For Cris Ewell, CISO at Seattle Children's Hospital – a nonprofit pediatric hospital, academic medical center and research institute – risk management stands at the center of a mature information security program.“We assess risk every day,” he says. “And it's not something that we do once and we're done. It's integrated into everything we do.”
Ewell says assessing risk starts with network scans for vulnerabilities, such as advanced persistent threats, zero-day attacks and other malware. His IT team issues reports on whether the vulnerabilities are exposed to the internal network or if they have access to the internet. He deploys software that assesses risk based on access, time of day and which network is being used, and then his team can assess the risk and focus on which vulnerabilities get fixed first.
And vulnerability scans are just one aspect of the full program at Seattle Children's Hospital. Along with comprehensive scanning, Ewell's team is constantly adjusting network configurations and tweaking policies and procedures based on the latest security intelligence.
“There's really no one tool that we work with,” Ewell (left) says. “We use lots of different tools and intelligence sources – ranging from security reports from the FBI, the Department of Homeland Security, and Health and Human Services for medical information, to the HITRUST Alliance and the National Council of ISACs. We use intelligence information that comes from other CISOs as well.”
Cris Ewell, CISO, Seattle Children's Hospital
Jim Routh, CISO, Aetna
Larry Trittschuh, SVP, threat and vulnerability management, Synchrony Financial
But companies need to adjust controls in response to shifts in the threat landscape, adds Jim Routh, CISO at Aetna, a health insurance company based in Hartford, Conn. He points out that standards are helpful, but not sufficient.
“The most significant health care breaches are the result of phishing of credentials and adjustments to controls for in-bound and outbound phishing attacks,” Routh says. “Our approach is to align investment priorities with the top cyber risks for stakeholders to consider when making financial investments in new programs and emerging technologies.”
A changing landscape
Just a few years ago, predicting the cost of a breach was a matter of understanding charges – such as third-party support, resources costs, lost productivity, IT/infrastructure response and recovery activities. The list also would typically include the cost of deploying new technologies and controls, plus fraud impact and identity protection services offered to customers, such as credit monitoring. However, given the rising threat landscape and the attention these breaches get in the media today, the real costs are much harder to calculate as they now include several indirect and social costs.
“Given the wide impact of breaches on business operations, companies are more concerned with the reputational impact of cyber breaches, and their primary focus is client and customer impact and satisfaction,” says Larry Trittschuh, senior vice president, threat and vulnerability management, at Synchrony Financial, a financial institution based in Stamford, Conn.
Think of the hit on reputation that Target took in the press, which was followed by the embarrassing dismissal of its CEO Gregg Steinhafel and CIO Beth Jacob. Then the Sony incident saw President Obama getting into the fray and the federal government determining that North Korea was responsible.
In many cases, follow-up from these high-profile incidents find that companies don't have the necessary people or security policies and programs in place. But, experts agree, that's part of what's changing. CISOs report that CEOs finally understand the potential risks their companies face and are starting to pay more than lip service to their IT security personnel. The smart ones are developing mature risk assessment programs.
Trittschuh says the financial sector focuses on risk much more than other industries. He says the regulations are so stringent in banking and finance that they must continually assess the company's risk posture and take appropriate actions to protect the company, its employees and clients and customers.
In adapting to this changing and more dangerous threat landscape, Trittschuh says it's important to have an intelligence-driven information program. Synchrony Financial uses many of the same intelligence sources as does Seattle Children's Hospital. He says companies must prioritize the threats and focus on those that are most important to their organization.
“It's also important to be forward-looking,” he adds. “The cyber threats we face today will continue to evolve, and our business will evolve to meet the needs of the customer. In our role as security advisors, we help the business understand the potential future cyber risks.”
Trittschuh (left) says his team also assesses risk as the technology trends in the industry change. Mobile banking, for example, represents a fundamental evolution in the banking industry – and in society as a whole. But with that mobility comes many new security risks. Consumers who now depend on mobile banking must be educated on how to more safely make bank transfers and pay bills on their mobile devices.
What if the device gets into the wrong hands? It's one thing if it's a corporate device protected by a mobile device management system. But, millions of people use mobile banking with limited protections. He says to be successful, Synchrony Financial must identify the risks associated with mobile computing and put the programs in place to protect the company's clients and customers.
“We have recently made announcements about our work with Apple Pay, Samsung Pay, LoopPay and other mobile banking initiatives,” he says. “Our security team gets engaged in each of these conversations to make sure we are balancing risk appropriately.”
For example, Samsung Pay uses PINs and passwords, making it immediately more secure than a traditional wallet. And all Synchrony private label card accounts in Samsung Pay are device-specific and use domain-restricted tokens, meaning the tokens will only work in a specific merchant's store.
A shift in focus
Brent Conran, CSO at McAfee, says companies are experiencing sophisticated attacks that are chained across two, three and even four systems. For that reason, he says IT security professionals have to adjust their thinking around risk management to assess the entire dynamic, as opposed to one element.
Systems today are more interdependent and the threat actors find more sophisticated ways to enter corporate systems, he says. For example, if a company deployed a new video conferencing system, they would have to open up a set of ports or services. Because the video system fits into the IT infrastructure, it's also important to assess the risk to other systems, such as the company's databases, its human resources systems and overall internet traffic and web applications.
“Any time you add a new system, you have to do a risk assessment of that system and the entire infrastructure,” Conran says. “By opening a set of ports or services for one system, you have to look at that change in aggregate of the entire infrastructure to assess the company's security posture.”
Which means IT security managers must consider the impact of a new technology across the enterprise. With the decline of stovepipes come new risks, and security pros must balance security controls with the network experiences of employees, customers and partners.
“It's all a matter of deciding which data is most important to the organization,” Conran says. “Companies have to decide what information and intellectual property makes them unique and implement controls based around that information.”
Much of this gets to the notion of how companies can justify investment in information security. For Conran, it's a matter of cost avoidance. He says it's infinitely more expensive to install and integrate security systems and risk management programs following a breach. “It's proven that the cost of remediation is more expensive by a factor of 10x,” he says.
These are all difficult choices for security professionals, many of whom are often lucky to have the basics of anti-virus, firewalls, intrusion/detection and possibly sandboxes and endpoint tools. A company the size and maturity of JPMorgan Chase, for example, can survive a breach because it has a team of 300 IT people focused on solving problems and assessing risk. But, not every company has that luxury. The prognosis, though, as more of these high-profile security events make the news, is that companies will have little choice but to put resources to not just people who can handle the tools, but also those who can look holistically at the risk and perform strategic assessments that keep companies one step ahead of the hackers.
Aetna's Routh (left) says his company has a formal process to assess threat changes and impacts on vulnerabilities that result in enterprise-wide cyber risks. Aetna calls its system the “Threat, Vulnerability Assessment Process.” It's a cross-functional approach in which security pros analyze data from the preceding 24 hours and identify anomalies and patterns which they share in a daily call to create a tally that influences the enterprise-wide risk score. This feeds into a quarterly process that updates the top cyber risks ranked by order of probability that is then used for alignment to existing and future projects.
Too much is at risk not to have these systems in place. It's one thing to lose money. It's another thing to lose goodwill in the marketplace, and then lose your job. Remember, Target's Steinhafel was forced out after a distinguished 35-year career at the company. It was a shame for one incident to have so much consequence. But that's what's at stake. So yes, companies need to provide their security pros with the tools, but they also have to assess the risk.
Assessment: Five questionsCris Ewell, CISO of Seattle Children's Hospital, offers companies five questions to ask in putting together a risk management program. Much of his concerns center around protecting mission-critical data.
- In what type of system will the data be stored? Check the status of your storage systems and if they need to be upgraded.
- How much will be stored? Multiple terabytes of data require protected facilities with proper cooling and environmental controls.
- What type of data is it? In the medical world, we need to know if it's protected health information (PHI) or personally identifiable information (PII).
- Who will host the data? Will it be stored internally or at a service provider?
- If it's publically-available data, are proper controls in place? If the data is being stored at a service provider, get the provider to show you the documentation. Also, ask them what kind of breach-response procedures they follow.