Written By Jason Newman, Chief Information Security Officer at Blue Cross and Blue Shield of Minnesota.
Editor’s Note: Because of the extensive amount of information provided by Jason Newman in his recent conversation with HITRUST, we have decided to publish the article in its entirety—starting with part one in this issue, and part two in the November/December issue.
I’m a VP and chief information security officer for Blue Cross and Blue Shield of Minnesota. I am responsible for information security, IT risk management, business resilience, and crisis management.
I’ve seen security evolve from a technology problem to a top issue in the boardroom and so it really made my job interesting coming to Blue Cross. From day one, there was a deep interest and buy-in within the company, recognizing that security is important. With this, we’ve gotten strong support from the leadership team and the board. What really excites me now is dealing with information security and risk management at a higher level, at a business and strategic level. I enjoy engaging with senior leaders of the business and with the board to protect what matters. I strive to leverage security as an enabler for business initiatives as opposed to being viewed as a hindrance to getting things done by the business.
50 Problems, 50 Ways to Solve Them
Prior to Blue Cross, I was working at a Big 4 consulting firm. There, I did everything from defining top-level security strategies, to assessing, designing and implementing security programs and technical security solutions.
One of the luxuries of being in consulting is you see that a lot of organizations have similar problems, but what that experience also tells you is every organization, even when they have the same problem, requires that you tackle that problem and solve it in a different way. It could be because of the industry, the culture of the organization, their leadership, the technologies they support, or even their unique risk appetite. All of these factors change the dynamic of the problem. I’ve seen the same problem about 30 different times and I’ve solved it 30 different ways. It gives you a broader perspective on how to solve problems than just “Okay, I’ve done it this way, and this is the only way I know how to do it.”
Third-Party Risk Assurance
Third-party risk management is a critical component of our information security and risk management programs at Blue Cross. Third-party risk assurance is not simply about getting the third-party’s completed security questionnaire responses or even their HITRUST CSF report and checking the “done” box. For us, it’s about leveraging the results to feed our organization’s risk analysis process to determine what risk the third-party poses to our organization. It’s about engaging with the business to understand the services provided by the third-party and to find ways to manage or mitigate identified risks. Third-party risk management should be thought of as a collaborative effort between risk leaders, business partners and the third-party vendor to identify the most efficient and effective solutions to address identified risk.
With our vendors, however, it ends up being a little bit more of helping them understand what risks concern us, and getting them to first agree that it’s something they need to address. We’re usually a little less involved in specifically how the third-party vendor needs to solve their information security shortcomings (though we may provide some suggestions). For the most part, what we’re trying to do is understand how a risk at the third-party impacts the risk profile of our organization and how it could be mitigated in their environment as a means to improve our collective security posture. This is an important point – we view the security controls at our third-party vendors as an extension of our own; that is to say we don’t try to offload complete security responsibility to our vendors. We recognize we have the obligation to protect and manage the risks to our data regardless of where the data is located; whether our data is located within our data center or at a particular third party, our obligations to protect the data does not change.
We use HITRUST as our third-party assurance questionnaire and framework, so we’ll really look at the results of that as part of this analysis. We will spend more time with the larger vendors, the upper risk tier, and will get a little more prescriptive with them than we would with some of the lower risk tier vendors.
How Does CSF or Third-Party Assurance Change the Way We Converse with the Board?
When I first started, I had visibility at the board level pretty much immediately. However, my engagement with the board increased as healthcare as a cyber target has increased. Those external factors drove the level and frequency of my engagement with the board more than anything else. Our board certainly views and acknowledges cybersecurity as a board-level risk.
Getting the board buy-in to leverage the HITRUST framework was straightforward; I simply just positioned it as: “our security program starts with a framework, which is a yardstick to evaluate and measure our program and assess our security risks”. Once we were aligned on that, I was able to focus on selling to them the merits and the value of the Information Security program. The board doesn’t need to understand the nuances of the framework in any level of detail; nor do I want them to. What is important to them is that we’ve aligned to an industry standard framework (HITRUST CSF) that is comprehensive and well recognized.
The board recognizes that cyber risks are real and now we’re part of an industry that’s heavily targeted. Meeting once or twice a year to get an update on cyber security was no longer sufficient for them; we needed to meet quarterly.
To be more specific regarding the risk management framework, my position has always been this: if the HITRUST CSF did not exist, I would build the same thing myself. Why? Because taking industry standards like ISO, SOC 2® and NIST (and certainly regulations and compliance obligations such as HIPAA and PCI) and harmonizing all this into a singular framework is something that we need. However, with HITRUST, we don’t have to build it. Rather, we have an organization that is committed to keeping the framework and supporting subject matter fresh while continuously updating and extending the capabilities around this same concept.
The HITRUST CSF makes things much easier for me in terms of how I can manage my program. The concept of assessing once and satisfying many has a great amount of value to our program.
If we hadn’t built our program using the HITRUST framework as the core model, responding to each and every request for my compliance reports would require the use of multiple, discrete frameworks and programs and data sets that we would somehow have to keep straight. The HITRUST CSF does that for us, saving us time and energy that can be spent on other aspects of our security program.
There’s more to come from Jason Newman. We will feature part two of this article in the next issue of our Newsletter.