Cybersecurity Controls in Financial Services and Healthcare
Jim Routh — current cybersecurity consultant and former CISO extraordinaire — sits down with BigIDeas on the Go to talk about his background in cybersecurity, the differences and similarities between the FinServ and healthcare cybersecurity landscapes, and the sensitive information that is most coveted by threat actors.
Cybersecurity from FinServ to Healthcare
“I’m at the point in my career where I’m a lot better known for what I used to do versus what I do today,” says Routh, whose CISO CV includes big-name brands AmEx, JPMorgan Chase, Aetna, CVS, MassMutual, KPMG, and more.
“I’ve spent most of my time in financial services — a highly regulated environment … and I’ve also spent about six years in healthcare,” says Routh.
In that time, he learned that “the diversity of threat actors that financial services addresses is far more significant than any other industry,” says Routh. “And the volume of attacks within the diversity of tactics that are used is also substantially greater than other industries.”
When Routh made the transition to healthcare, “one of the things that intrigued me was that patient data was so pervasive and highly sensitive. I was looking at data protection — and really cybersecurity — controls for healthcare based on the assumption that the intensity of the customer or patient information was so significant that it warranted some fundamentally different controls and approaches and probably a very different threat landscape.”
Over time, Routh discovered that he needed to shift his perspective from differences to similarities. Contrary to his expectations, “the threat landscape for healthcare is actually not that different from financial services. There’s a lot lower volume, but there’s still a diversity of threat actor tactics … and it’s all about identity and it’s all about harvesting identity information, replicating and adding identities, setting up new accounts — and committing fraud.”
Not All Data Is Created Equal — to a Threat Actor
When it comes to protecting crown jewel data, “many enterprises look at their own data and say, ‘oh, this type of data is the most valuable, so we’re going to put our best controls on this type of data!’” says Routh.
“However, if you look at it from a threat actor’s perspective … threat actors want social security numbers because they are the easiest data element to monetize. What else do they want? Well, they want credentials — because it often leads to getting access to the social security number. So user ID and password are really, really sensitive from a threat actor’s perspective.”
In Routh’s experience, threat actors tend to “move laterally until they find credentials to escalate privilege, and then they go after the most important data to them — not the most important data to you.”
This is a crucial shift that enterprises need to incorporate into their cybersecurity approach. “For an enterprise, if you can take your most important data and get it into ten to fifteen percent of all the data, then you can put your best cybersecurity controls on the data that is the most valuable to threat actors. And that’s a scalable model.”
Listen to the full podcast for more from Routh — including his insights on how work-from-home culture has extended the attack surface to the home network, why data science is increasingly foundational for a cybersecurity program, and the implications behind the shift to cloud computing.