Cybersecurity at Aetna Is a Matter of Business Risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://blogs.wsj.com/cio/2015/03/30/cybersecurity-at-aetna-is-a-matter-of-business-risk/

Security breaches have become a daily fact of digital life, prompting some
companies like insurance giant Aetna Inc.AET +1.09% to approach
cybersecurity as just one more business risk that needs to be managed, much
as they approach fluctuating currency prices or the threat of lawsuits.

It’s a departure from a traditional mindset, in which cybersecurity is
viewed primarily as a tech problem that needs to be fixed. Each day, Aetna
Chief Information Security Officer Jim Routh looks at the cybersecurity
threats facing the health insurer and how they’ve changed in the last 24
hours. He also looks at changes in Aetna’s ecosystem. He translates that
information into a daily risk score and distributes it to company leaders.
Understanding that risk is essential to making long and short term
decisions on the allocation of scarce resources to the highest risks, he
said.

“We’re transparent about the risks to pretty much anyone inside the company
because knowing the risk is the first step towards mitigating and managing
that risk long term,” Mr. Routh told CIO Journal.

He shares an understanding of that risk throughout the business, which
helps the company respond quickly to shifting threats, and make informed
decisions about where to devote staff efforts or invest money in
strengthening defenses. Expecting technology to magically fix cybersecurity
problems is just as unrealistic as buying a financial system and expecting
to no longer worry about financial management, said Kennet Westby,
president of Coalfire Systems Inc., a cyberrisk advisory firm. “This is not
a problem you can solve, but it’s a problem you can manage,” said Mr.
Westby.

Mr. Routh and his team look at threat information from thousands of
sources. Aetna subscribes to three threat intelligence services and is a
member of two information sharing and analysis centers for financial
services and health care. At a 4:00 p.m. meeting each day, his team meets
to talk about new security threats and to interpret what it means for
Aetna’s risk. The tool Mr. Routh uses is a simple spreadsheet that looks at
various categories of security controls within the company.

For example, one category is called Inside Out Controls and there are
dozens of examples of these controls. This category looks at controls for
data leaving the company along with behavioral information on the usage of
Web services, mobile applications, Secure File Transfer Protocol and email.
This may include tools like behavioral analysis software to analyze whether
bad actors are trying to take information out of the company’s network.
Another example of an Inside Out Control is that Aetna, like many
companies, can see and control which cloud services employees use. “We have
a risk profile for each cloud service,” said Mr. Routh. The company blocks
access to high-risk sites preventing exposure of its data, he said. So if a
popular cloud service employees use experiences a major data breach then
the risk profile for that cloud service would increase.

“We rank every single threat every single day,” said Mr. Routh. “Because we
measure every day, we know what it is and when it changes,” he added. He
uses daily information to reassess the ranking of top risks to the
enterprise.

For example, news surfaced starting in late January that a nationalist
Turkish hacker group had started attacking political targets, like the
website of the government of Ghana and other political targets. That was a
change that caught Mr. Routh’s attention because he hadn’t seen these kinds
of attacks come from Turkey, he said. There have also been news reports
that Chinese nation-state hackers are suspected of targeting health-care
information, he said.

Mr. Routh has been ranking cyber risks for 12 years – the last two at Aetna
– and he said he didn’t previously worry about nation state hackers.
“That’s all changed and now we monitor nation states – it’s one of our
biggest threats today,” he said.

When threats spike in a certain area – like the attack on Sony Pictures
Entertainment – Mr. Routh looks at all the remediation projects he’s got
underway to see if any of them need to be reprioritized. For example, Aetna
made revisions to its data recovery practices based on the destructive
malware used against Sony. Mr. Routh’s list of remediation projects is
prioritized according to risk with the ones at the top of the list getting
the best resources and the ones at the bottom getting little or no
resources.

Most companies evaluate cybersecurity risk on a quarterly basis and more
are starting to do it monthly, said Mr. Westby. He doesn’t know any that do
it daily like Aetna.

Ranking threats every single day may not be the best move for every
company, say experts. In fact, many companies may not have the resources or
the team that can actually translate those threats into actionable
intelligence. Doing the basics of cybersecurity such as deploying intrusion
prevention systems, anti-virus software and passive defenses such as
firewalls should be the first priority, said Robert M. Lee, a co-founder at
industrial control systems security firm Dragos Security LLC and an
active-duty U.S. Air Force cyberspace operations officer.

“I can have all the best threat intelligence in the world and figure out
how to leverage it but if I have unpatched systems then I’m wasting my
time,” he said.

Mr. Routh estimates that about 70% of security controls represent good IT
hygiene such as server configuration management, patch management, incident
response, security monitoring, network perimeter monitoring and building
security controls into software as its being developed. Yet, those basics
don’t address emerging technology and the evolution of threats, he said.

Also, CEOs and boards may be surprised to find that even though they’ve
increased the cybersecurity budget by millions of dollars that the risk has
also increased, said Anton Chuvakin, a research vice president covering
security and risk at research firm Gartner Inc. That’s because the risk for
the overall industry may have increased as more attackers target the
sector. “There is no magic button to spend money to lower risk,” said Dr.
Chuvakin.

He notes that after a breach, one health-care CISO received a major budget
increase and was told to take care of risk. That CISO has budget left over
because he needs to hire people and there’s nobody to hire because of a
scarcity of talent.

At Pacific Gas & Electric Co., former CISO James W. Sample faced the issue
of risk remaining high to the industry even as the company spent money to
improve its cybersecurity capabilities. He started to chart the company’s
security capabilities and how it was improving relative to that risk so
company leaders and the board could measure progress, he told CIO Journal.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!