On his first day as a CISO for financial giant American Express, Jim Routh learned a valuable lesson on the kindness of strangers.
He looked at his calendar and saw that he was due to present a security strategy the following day to the Office of the Controller of the Currency. He felt ill-prepared. “I was in over my head,” he says.
He reached into his pocket for a lifeline – a piece of paper with the phone number of CISO Steve Katz, whom he had met previously and who had told him to seek his help anytime. “I don’t know what I am doing,” he told Katz. “I’ll be right over,” Katz replied.
Forty-five minutes later, Katz indeed was in Routh’s office, with two other CISOs from other financial services firms. “They dropped everything they had to do that afternoon to help me,” Routh says. They helped him create a presentation and then coached him on how to deliver it.
The presentation was a success; Routh was told his strategy was a good one.
“What that taught me is that no matter who you are, you share information to help others be successful. To this day, I still practice that in everything I do,” he says.
A roundabout path
Routh, now the CSO of Aetna, studied history in college and thought because of his entrepreneurial nature he would work for a startup. After college he joined a small business, studied how businesses were run, and worked his way up to vice president. He then trained to be a financial planner.
But a more lucrative offer, this time in IT consulting, presented itself at a time when PCs were becoming more prominent in corporations.
Routh spent the next 15 years consulting which involved extensive business travel that eventually took a toll on his time with his family. He brought his family to Minneapolis where he ran IT for American Express Financial Advisors. He loved the job but the winters were harsh, so much so that his wife told him one day: “The kids and I are moving back East. Would you like to come?”
He asked his boss to find him another job in the company so he could join his family. He led a team that ran behavioral analytics for marketing campaigns, and this unit eventually merged with the risk analytics team. Routh reported to the Chief Risk Officer. Soon, he was appointed the first CISO of American Express.
Different sectors, different strokes
Routh has seen enough of both the financial and the healthcare industries to say that security is different from one company to another. “You have the same controls, you have the same focus, but different companies even in the same business, have a different cultural profile and that’s a different risk tolerance and leads to different ways to make decisions.”
In financial services, there is significantly greater volume of attacks. “Professional criminal syndicates have hundreds of millions, in some cases billions of dollars, to invest in infrastructure to commit fraud. They’re very sophisticated. They have a tremendous amount of resources they pour into their techniques and their tools,” he says.
Routh learned there is the same diversity of threat actors in healthcare as financial services and the difference is the volume of attacks are higher in financial services. There are criminal syndicates, hacktivists and nation-state sponsored actors in addition to individual criminals. The attack surface in healthcare is exponentially greater largely due to the extent the personal health information is shared with the many entities within the healthcare ecosystem and often attributed back to the patient using a Social Security number as the identifier.
Healthcare companies are always looking to take advantage of new delivery systems and IT components to improve healthcare for consumers and deal with a significant diversity in the IT to manage. They also hold a tremendous amount of patient/consumer information. “There might be 80% of the data that is health specific and highly sensitive,” Routh says, adding that in banks, the most sensitive account information (account information) represents only about eight to 10 percent of the entire data in the enterprise.
Add to this the fact that many healthcare providers are not-for-profit and do not have high margins. So, the reality is that they can’t afford the technical and security support that other industries can afford. They have more diversity of IT and less resources to deploy.
Sleeping like a baby
Fifteen years have passed since Routh had to retool and immerse himself in cybersecurity. This does not mean that he has become comfortable in his job. “I sleep like a baby,” he says. “And a baby typically wakes up every three or four hours crying [this was originally attributed to Steve Katz] .”
In this job, after all, the prospect of a major security breach always looms large, so Routh is constantly thinking about staying ahead by creating friction for the threat adversary.
First, he knows he can’t rely exclusively on established or conventional controls (control standards within an established risk framework. Second, he thinks of authentication, not as an event but as a continuous process, using behavioral attributes of the consumer to authenticate them throughout the electronic interaction. Third, he works with early-stage security and technology companies that are willing to develop new capabilities based on use cases provided by Aetna. “That’s how innovation emerges in control design that adds friction for threat actors and removes friction for the consumer,” he says.
It’s also important to know where the industry is headed.
As an example, the cost of vulnerability management for an enterprise is increasing at an unsustainable rate, Routh says. Between 2016 and 2017 it rose 30%. Looking at the six-month data in 2018 and comparing it to 2017, it’s going to increase another 30%. “What that means is that when there are significant vulnerabilities that get announced and patches that have to be deployed, the cost of making the changes falls on the enterprise. The fact that it’s increasing by 30% is what makes it unsustainable.” This information is based on early results from a study of financial services and healthcare enterprises from a working group that will help all enterprises understand the cost escalation and seek methods for managing the costs more effectively.
Software manufacturers today are driven by the market to create new functionality and improve time to market. They do not have an incentive to address this growing enterprise cost of managing vulnerabilities. “There’s a misalignment of incentive because the enterprise can’t do anything about the software and firmware defects, specifically high-risk defects increased from 2016 to 2017 by 36%. Since enterprise IT functions consistently manage costs to deliver more capability at a lower unit cost through performance improvement and improved techniques, they need to figure out how to offset the increase in vulnerability management costs through better practices.
Finally, data science and artificial intelligence will continue to play a big role in cybersecurity, specifically behavior analysis. “Machine learning does that really well in terms of creating an algorithm that can recognize whether the data fits the pattern or not,” he says. This can be applied to continuous authentication or to privilege user monitoring or filtering in-bound emails or identifying malware on endpoints or high-risk user monitoring or fraud detection. In Aetna’s case, they are using ML models for all of these things deployed across nine different technology platforms driving front-line security controls.
“Data science is a foundational component of cyber security today and in the future.” Jim’s team developed a curriculum for all security professionals to learn the fundamentals of data science and the core team of data scientists is growing substantially to help design and implement new controls.
Attracting top talent
There is a consensus that one of the main problems hounding security today is the shortage in human capital. Routh, however, says he has not had any trouble attracting world-class talent to his Aetna team.
He does not require highly experienced hires to work in specific locations giving Aetna access to top talent. Aetna offers all security professional the opportunity to identify what skills they wish to invest their time in mastering and then supporting development activities to teach them techniques to make them more marketable. “This gives them options toward a more fulfilling career. We win people’s hearts by teaching them techniques that they can’t learn anywhere else.”
Routh also makes a conscious effort to be diverse, hiring women, minorities and veterans. “Not only do we find world-class talent, we find diverse world-class talent.”
Back to basics
“When I get stressed out and I need to decompress, first thing I do is read,” Routh says. It’s a habit he has passed on to his three children, two of whom have pursued cybersecurity careers themselves. “We pass around books during family vacations.”
As for Katz, the person who saved the day for him many years ago, Routh says he has kept up the connection. “There’s not a week that goes by that I don’t talk to Steve.”
Routh pays it forward by mentoring others, in his organization and as chairman of the National Health Information Sharing and Analysis Center (NH-ISAC).
“It’s why I share. There’s no practice that I use and no technology capability that I use for security in Aetna that I don’t share with other companies and other peers.”