Aetna CISO Touts the Benefits of 'Unconventional Controls'Jim Routh Describes How to Fight Evolving Cyber Threats
The adoption of "unconventional" security controls that are risk-driven can help organizations adapt to the changing cyber threat landscape, says Jim Routh, chief security officer at health insurer Aetna.
"It turns out that all of us in security learned conventional controls - and that's a good, strong foundation," he says. "Conventional controls are found in risk frameworks - they're commonly known, referenceable and there are policies that drive those conventional controls. They're established and tried and true," he says. Those controls include those that are part of the National Institute of Standards and Technology's cybersecurity framework, he says.
"But what's happened over the last 10 years is that as organizations have adopted more risk-driven security - responding to changes in threat actor tactics - we venture into unconventional controls that aren't necessarily defined in a risk framework, but are highly effective in improving resiliency in the enterprise," Routh says.
So, for example, in email phishing, a conventional control is user awareness and education, he notes. "An unconventional control is ... [using the] DMARC [Domain-based Message Authentication, Reporting & Conformance] standard," he says. That helps prevent email systems from being hijacked by attackers so that "all outbound email from an enterprise will be delivered and email not coming from that enterprise will not be delivered."
In a video interview at Information Security Media Group's recent Healthcare Security Summit in New York, Routh also discusses:
- Ransomware trends impacting the healthcare sector;
- How improving "software currency" can make enterprises less vulnerable to ransomware attacks'
- Aetna's move to continuous behavioral authentication.
Routh heads the global information security function for Aetna. He also is the chairman of the FS-ISAC Products and Services Committee and is a board member of the National Health-ISAC. He was formerly the global head of application and mobile security at JPMorgan Chase and served as CISO at KPMG, DTCC and American Express.