Security and Compliance: From a Technology Problem to a Top Issue in the Boardroom

By Jason Newman, Chief Information Security Officer at Blue Cross and Blue Shield of Minnesota

I’m a VP and chief information security officer for Blue Cross and Blue Shield of Minnesota (Blue Cross). In my role, I am responsible for information security, IT risk management, business resilience, and crisis management within Blue Cross.

HITRUST: How do you look at problem solving in the risk management space?

NEWMAN: Prior to Blue Cross, while I was working at a Big 4 consulting firm, I was part of a group that performed security and technology risk management consulting. There, I did everything from defining top-level security strategies, to assessing, designing and implementing security programs and technical security solutions.

One of the luxuries of being in consulting is you see that a lot of organizations have similar problems. What that experience also tells you is that every organization, even when they have the same problem, requires that you tackle that problem and solve it in a different way. It could be because of the culture of the organization, their leadership, the technologies they support, or their unique risk appetite. All of these factors change the dynamic of the problem for you. I’ve seen the same problem about 30 different times and I’ve solved it 30 different ways.

HITRUST: How do you approach and manage third-party risk?

NEWMAN: Third-party risk management is a critical component of our information security and
risk management programs at Blue Cross. Third-party risk assurance is not simply about getting the third-party’s completed security questionnaire responses or even their HITRUST CSF® report and checking the “done” box. For us, it’s about leveraging the results to feed our organization’s risk analysis process to determine what risk the third party poses to our organization. It’s about engaging with the business to really understand the services provided by the third party and to find ways to manage or mitigate identified risks related to those services. Third-party risk management should be thought of as a collaborative effort between risk leaders, business partners and the third-party vendor to identify the most efficient and effective solutions to address identified risk.

HITRUST: How does the HITRUST CSF change the way you converse with the board?

NEWMAN: When I was hired, I had visibility at the board level pretty much immediately. However, my engagement with the board increased as healthcare as a cyber target has increased. Those external factors drove my engagement and frequency of my engagement with the board more than anything else. Our board certainly views and accepts cybersecurity as a board-level risk.

Getting their buy-in to leverage the HITRUST® framework was straightforward; I really just positioned it as: “all of this starts with a framework.” We need a yardstick to measure our program and assess our risk. Once we were aligned on that, I could focus on selling to them the merits and the value of the Information

Security program. The board doesn’t need to understand the nuances of the framework in any level of detail; nor do I want them to. What is important to them is that we’ve aligned to an industry standard that’s comprehensive and well recognized.

HITRUST: Do you have any advice for CISOs whose organization hasn’t begun using the program?

NEWMAN: If you’re a new CISO in healthcare and you’re starting from square one where you don’t yet have any HITRUST experience, a step in the right direction would be to adopt HITRUST CSF as the framework or foundation for your program. With it, you can be sure you have coverage across the various standards and regulations pertinent to the healthcare industry. You can also use it to focus on which assets are most critical and the security safeguards in place to protect them. Then you can go into rolling out your security safeguards in your organization necessary to address any identified risks or control gaps. Whether you are new or not, when you are ready to begin the rollout of HITRUST CSF within your environment, start with a finite, risk-based scope. Don’t try to do it all at once. We actually hired a third party to help us only because we wanted to move quickly. However, the HITRUST CSF is straightforward enough to do the work internally as well.

HITRUST: Do you have any advice for CISOs whose organization is using HITRUST and wants to get more out of it?

NEWMAN: Most companies start building the program with the HITRUST CSF to measure themselves and quickly realize they also need a way to measure third-party risk. I am seeing that a fair bit with my peers. The challenge we often discuss is consuming third-party risk information back into our programs in a consistent manner. To be successful in this, there’s some sort of translation that needs to occur.

For us, all third-party processes are HITRUST-based, whether we are talking about assessment questionnaires or risk assessment and reporting processes. The common language HITRUST provides is extremely beneficial in having productive conversations with not only our vendors but our internal business units as well. It takes away any perception that we are pulling requirements “out of thin air” and helps them understand exactly where we are coming from with our inquiries.

HITRUST: How has looking deeply at risk helped you become a better CISO?

NEWMAN: We live in a risky world. Some risks are worth taking, and some are not. By having this risk lens, I believe that I (or any CISO, for that matter) can come to the table with risk-based facts and educate a business leader as opposed to presenting a policy that reads “You can’t do this” or a presentation that leads with “It’s a big scary world out there” (which I think is a bad idea, by the way). Most leaders respect you when you say “Let’s have a dialogue around a security risk in the context of your business.” This conversation is much more powerful. Security can be complex, so if you can boil it down into simpler terms, in risk language described in business terms, then you’re back on a level playing field, speaking the same language and enabling an intelligent conversation. It really does make you a more effective CISO if you break through the fear, uncertainty and doubt (FUD) game and come to the table with the risks and potential solution options in a way that someone who’s not a security or technology professional can understand.
Original date of publication July 5, 2017.

Resource Center

More security resources at your fingertips.

Practical Content for Security, DevOps, & IT Professionals