Welcome HITRUST 2014 Conference April 22, 2014.
The Evolving Information Security Organization – Challenges and Successes Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator)Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth GroupErick Rudiak, Information Security Officer, Express ScriptsRoy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPointOmar Khawaja, Vice President and Chief Information Security Officer, Highmark
HITRUST 2014 Conference
The Evolving Information Security Organization
Challenges and Successes
Tuesday – April 22, 2014
Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIM
Vice President, IT Security
Chief Information Security Officer
Enterprise Risk Management
Security Viewed as a Business Enabler
Translating Business Needs into Security Requirements
Translating Security Requirements into Technical Security Controls
Operating Technical Security Controls
. . . . . . . . . . . 30 YEARS . . . . . . .
Initial compromise — spear phishing via email, planting malware on a target website or social engineering.
Establish Foothold — plant administrative software and create back doors to allow for stealth access.
Escalate Privileges — use exploits and password cracking tools to gain privileges on victim computer and network.
Internal Reconnaissance — collect info on network and trust relationships.
Move Laterally — expand control to other workstations and servers. Harvest data.
Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps.
Complete Mission — exfiltrate stolen data from victim's network.
Our information is increasing in value…
Our weaknesses are increasing…
Opportunities to attack are increasing…
Becoming increasingly difficult to secure
Explaining the "why"
Growing security in the org
Making security part of more processes
Assisting them with their job
Reporting on what matters to audience
Explaining the “what”
Growing the security org
Creating more security processes
Telling them what to do
Protecting everything equally
Measuring what matters to security org