Authentication , Ransomware , Risk Management

Aetna CISO Touts the Benefits of 'Unconventional Controls'

Jim Routh Describes How to Fight Evolving Cyber Threats
Jim Routh, chief security officer, Aetna

The adoption of "unconventional" security controls that are risk-driven can help organizations adapt to the changing cyber threat landscape, says Jim Routh, chief security officer at health insurer Aetna.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

"It turns out that all of us in security learned conventional controls - and that's a good, strong foundation," he says. "Conventional controls are found in risk frameworks - they're commonly known, referenceable and there are policies that drive those conventional controls. They're established and tried and true," he says. Those controls include those that are part of the National Institute of Standards and Technology's cybersecurity framework, he says.

"But what's happened over the last 10 years is that as organizations have adopted more risk-driven security - responding to changes in threat actor tactics - we venture into unconventional controls that aren't necessarily defined in a risk framework, but are highly effective in improving resiliency in the enterprise," Routh says.

So, for example, in email phishing, a conventional control is user awareness and education, he notes. "An unconventional control is ... [using the] DMARC [Domain-based Message Authentication, Reporting & Conformance] standard," he says. That helps prevent email systems from being hijacked by attackers so that "all outbound email from an enterprise will be delivered and email not coming from that enterprise will not be delivered."

In a video interview at Information Security Media Group's recent Healthcare Security Summit in New York, Routh also discusses:

  • Ransomware trends impacting the healthcare sector;
  • How improving "software currency" can make enterprises less vulnerable to ransomware attacks'
  • Aetna's move to continuous behavioral authentication.

Routh heads the global information security function for Aetna. He also is the chairman of the FS-ISAC Products and Services Committee and is a board member of the National Health-ISAC. He was formerly the global head of application and mobile security at JPMorgan Chase and served as CISO at KPMG, DTCC and American Express.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.