welcome hitrust 2014 conference april 22 2014 n.
Skip this Video
Loading SlideShow in 5 Seconds..
Welcome HITRUST 2014 Conference April 22, 2014 PowerPoint Presentation
Download Presentation
Welcome HITRUST 2014 Conference April 22, 2014

Loading in 2 Seconds...

play fullscreen
1 / 26

Welcome HITRUST 2014 Conference April 22, 2014 - PowerPoint PPT Presentation

  • Uploaded on

Welcome HITRUST 2014 Conference April 22, 2014.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Welcome HITRUST 2014 Conference April 22, 2014' - tariq

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

The Evolving Information Security Organization – Challenges and Successes Jason Taule, Chief Security and Privacy Officer, FEi Systems (Moderator)Robert Booker, Vice President and Chief Information Security Officer, UnitedHealth GroupErick Rudiak, Information Security Officer, Express ScriptsRoy Mellinger, Vice President, IT Security and Chief Information Security Officer, WellPointOmar Khawaja, Vice President and Chief Information Security Officer, Highmark

chief information security office

Chief Information Security Office

HITRUST 2014 Conference

The Evolving Information Security Organization

Challenges and Successes

Tuesday – April 22, 2014

Roy R. Mellinger, CISSP – ISSAP, ISSMP, CIM

Vice President, IT Security

Chief Information Security Officer

the evolving information security organization
The Evolving Information Security Organization





Enterprise Risk Management

Security Viewed as a Business Enabler

Translating Business Needs into Security Requirements

Translating Security Requirements into Technical Security Controls

Operating Technical Security Controls






Fighting Fires







Security Threat


the evolving information security organization1
The Evolving Information Security Organization
  • 24x7 Security Operations Center (SOC)
  • End to End DLP (Data Loss Prevention) Strategy
  • Tracking of Malware Threats and Coding Techniques
  • Effective Firewalls, IDS / IPS Strategy Implementations
  • Effective Security and Event Log Management & Monitoring
  • Robust Safeguarding Polices, Programs and Processes
the evolving information security organization2
The Evolving Information Security Organization

Hacking Then

Hacking Now

  • Automated / Sophisticated Malware
  • Hactivism – Freedom of Speech, Statements to Influence Change, Sway Public Opinion and Publicize Views
  • Criminal – Drug Cartels, Domestic and Foreign Organized Crime for Identity Theft and Financial Fraud
  • Espionage – IP, Business Intelligence, Technology, Military / Political Secrets
  • Terrorism – Sabotage, Disruption and Destruction
  • Nation-State – Intelligence Gathering, Disruptive Tactics, Clandestine Ops, Misinformation, Warfare Strategies, and Infrastructure Destruction
  • Individual or Computer Clubs/ Groups
  • Manual efforts with Social Engineering
  • Success = Badge Of Honor
  • Personal Monetary Gain or to pay for / fund hacking activity
  • War Protesting and Civil Disobedience
  • Anti-Establishment Rhetoric
  • Social Rebels and Misfits



. . . . . . . . . . . 30 YEARS . . . . . . .

the evolving information security organization3
The Evolving Information Security Organization

Initial compromise — spear phishing via email, planting malware on a target website or social engineering.

Establish Foothold — plant administrative software and create back doors to allow for stealth access.

Escalate Privileges — use exploits and password cracking tools to gain privileges on victim computer and network.

Internal Reconnaissance — collect info on network and trust relationships.

Move Laterally — expand control to other workstations and servers. Harvest data.

Maintain Presence — ensure continued control over access channels and credentials acquired in previous steps.

Complete Mission — exfiltrate stolen data from victim's network.

risk is increasing
Risk is increasing


Our information is increasing in value…

  • More data (EMRs)
  • More collaboration (ACOs)
  • More regulation (FTC)

Our weaknesses are increasing…

  • More suppliers (Cloud)
  • More complexity (ACA)

Opportunities to attack are increasing…

  • More access (consumer portals)
  • More motivated attackers

Becoming increasingly difficult to secure

  • Multiple Compliance Requirements
  • Evolving Compliance Requirements
  • Unclear Compliance Requirements
  • Less visibility
  • Less control







security org needs to evolve
Security org needs to evolve


Explaining the "why"

Growing security in the org

Making security part of more processes

Assisting them with their job

Differentiated controls

Reporting on what matters to audience


Explaining the “what”

Growing the security org

Creating more security processes

Telling them what to do

Protecting everything equally

Measuring what matters to security org