By Lauren Graves
Jim Routh, the Chief Information Security Officer at Aetna, has over ten years of hearty experience dealing in the information security space. As the former Global Head of Application Security at JP Morgan Chase, Routh has a wealth of knowledge when it comes to the intricacies of mobile, social and application security. As the advancement of consumer technology continues to outpace that of enterprise technology, and consumers continue to drive the adoption of emerging technologies, Routh discusses the importance of the CISO to identify opportunities for the business to improve effectiveness and efficiency while also managing IT risk effectively.
[Lauren Graves] Due to technological advancements in recent years, what are some innovative ways that you now think about mitigating the consequences of risk?
[Jim Routh] Conventional controls applied to disruptive and emerging technologies don’t work very well to manage risk and more often than not, they constrain business growth. For emerging technologies I look to apply innovation in control design often considering technology options are not mature but offer new methods for risk management without constraining the use of the emerging technologies. The best example of this that I can think of is the adoption of the DMARC standard for authenticating email from consumer companies as a technique for a dramatic reduction in fraudulent emails sent to consumers. The technology for authentication of email servers has been around for many years but the evolution of the DMARC standard adopted by the large Internet Service Providers (ISPs) has made this a highly effective control that reduces SPAM and Phishing emails while enabling a company’s own email to benefit from a higher response rate as consumer trust improves.
"The consumer is driving the adoption of emerging technologies today and every organization doing business with consumers needs to identify and implement the right balance of innovation and information protection."
Another example is in mobile technology through software “wrapper” technology that enables enterprises to package up security controls (like root detection and authentication) and apply them as standards across mobile applications so developers don’t have to create different methods for these controls for each individual application. This decreases the residual security risk of using mobile applications and improves the consumer experience at the same time.
As the Head of Information Security at Aetna, what would you say is the organization’s information security vision?
Our vision is to be recognized by consumers, plan sponsors, providers, regulators, and affiliates for world class capabilities in information security risk management integrated with innovative products and services that fundamentally change healthcare.
Based on your past experience in the field, what tactics do you find to be the most successful for insuring the security of the company’s global information?
- Evolving from a compliance based program to a risk-driven information security program
- Identifying controls for 3 levels of information classification to ensure the opportunity to apply the most rigorous controls to the highest risk classification
- Applying software development controls early in a lifecycle to avoid and fix defects during development
- Imbedding key controls within existing business processes and measuring the effectiveness or health of the business processes through Key Performance Indicators (KPIs) to make adjustments
- Identify opportunities for the business to improve effectiveness and efficiency while also managing IT risk effectively
With the prominence of emerging technologies (such as mobile, social, and cloud technology), what are the biggest challenges you face as a CISO?
One of the major challenges is adjusting the perception of business leaders that mobile technology is well established with consumers today and the near future is the convergence between Social, Mobile, Analytics, and Cloud or SMAC technologies. Most of us use mobile technology to browse the web more frequently than a conventional web interface. We sleep with our smartphones within 5 feet of our bodies at night, 65% of us believe having a smartphone makes us a better parent and 75% admit to using their smartphone in the bathroom. Clearly mobile technology is here while the most popular mobile application worldwide is a social network app (Facebook in North America), and since social networks use cloud computing it is clear that understanding the convergence of these technologies is essential to offering compelling consumer products and services. The implications for CISOs is to make some bets on emerging technology security solutions in this convergence that offer controls without constraining the use of the technologies and enable protection of data through applications, whether it is hosted internally or in the cloud.
One of the most strategic skill sets in an information security organization is the A in “SMAC” for analytics. There are a wealth of security control solutions implemented that offer terabytes of data on IT usage and control effectiveness that offer more data sources and volume of data that can be interrogated for spotting trends and anomalies. Data scientists are highly sought after by all firms in IT and information security; data scientists have a wonderfully secure future for those firms investing in security data analytics.
What are your goals for the future of Aetna’s security? How has your focus shifted, if at all, over the past few years?
My primary focus for Aetna security is to evolve our practices to be risk-driven which implies understanding and responding to threat trends and threat actor techniques that consistently change. The primary difference is that the consumer is driving the adoption of emerging technologies today and every organization doing business with consumers needs to identify and implement the right balance of innovation and information protection.
Technology development especially in the convergence of SMAC is well ahead of the consumer’s appetite for sharing information about their behavior. Today critical decisions on how to use information collected from smartphones are made by developers working for commercial software vendors. CISOs need to work with consumer oriented business leaders to determine where to draw the line on the use of personal information (in the same way we have done for the web) in the SMAC world. CISOs need to understand the need to ensure that consumer privacy and the protection of information remains core to consumers regardless of what emerging technology offers. The smartphone is an intimate part of our daily existence and companies that consider protecting consumer information from mobile applications will be more successful in the long run.
Jim Routh is the Chief Information Security Officer and leads the Global Information Security function for Aetna. He is the Chairman of the FS-ISAC Products & Services Committee and former board member. He is currently a board member of the National Health-ISAC. He was formerly the Global Head of Application & Mobile Security for JP Morgan Chase. Prior to that he was the CISO for KPMG, DTCC and American Express and has over 20 years of experience in information technology and information security as a practitioner, management consultant and leader of technology, analytic and information security functions for global financial service firms.
Jim is the winner of the 2009 BITS Leadership Award for outstanding leadership of the Supply Chain Working Group sponsored by the financial industry in collaboration with NIST and the Department of Treasury. He was the 2007 Information Security Executive of the Year for the Northeast and is a widely recognized expert in security program implementation. Jim was successful in reducing information security costs while significantly improving enterprise risk management practices through innovation and transformational leadership.