With over 15 years in information security, it’s safe to say that Jim Routh knows a thing or two about the challenges security professionals face today. Given the constantly evolving threat landscape, Routh understands the gravity of his position.
As the chief security officer of Aetna, one of the largest health care companies in America, he’s well aware that the information he’s hired to protect is as valuable as any. But while many might assume Routh, who works in a traditional field, takes a customary approach to protecting his organization’s network, that’s one characteristic he feels does not work for today's security executives.
Conventional security controls - also known as industry standard practices - are effective, but taking alternative approaches have the ability to result in a more resilient enterprise.
For example, as it relates to email security, the recommended mitigation technique for phishing attacks by all authoritative sources is end user education. While the basic premise of end user education is good, it also instills a sense of distrust between the end user and their email in-box, says Routh.
“Removing trust from an email system for any enterprise is not really sustainable since email is often part of the cultural norms and represents essential business processes within any enterprise,” Rough said.
An alternative approach to this would be leveraging a set of controls designed to build trust, not deplete it. This involves unconventional controls or controls not part of any risk framework or established audit framework. It involves controls that are not recommended by authoritative sources, Routh says.
In this case, an example of leveraging an unconventional control would include adhering to DMARC for outbound email campaigns for an enterprise, and third parties that send email on behalf of the enterprise. “[While] DMARC is a technology standard, it is not referenced in NIST or ISO or any other authoritative source.”
While security used to be all about stability and making very few changes within the business, now dynamic changes are the norm; control frameworks implemented by the security and risk departments must change with that.
“The challenge with conventional controls is that they’re largely driven by regulation and precedent. All of that is good, and totally insufficient for the CISO today to develop a resilient enterprise,” Routh told Infosec Insider during a recent video interview at Infosec World 2017.
For security executives looking to establish a resilient enterprise, they’ll need to think outside the box and adopt unconventional controls.
“Innovation is essential,” Routh said. “What CISOs are trying to do today is change the rules for the threat adversary, and the rules are stacked in the adversary's favor.”
By focusing on what Routh says are the “three Ts of security” - talent, tools, and techniques - today’s security executive can take innovative approaches to their craft that help build a more resilient enterprise.
In this exclusive video interview, Routh discusses the importance of focusing on three Ts of security and highlights the three most important things security executives must do to develop a resilient enterprise.