Q&A: Andy Weeks Discusses the Challenges of Reconciling Security and Compliance

Dennis Fisher: Okay, welcome
to the Digital Underground podcast.

Dennis Fisher: Okay, welcome
to the Digital Underground podcast. This is the third in our CSO series of
podcasts with high level information security professionals and I’m very happy
to have on the line today my guest Andy Weeks who is the manager of risk and
compliance for enterprise information security at Humana, Inc.  It’s a long title but it’s a big organization
that has a lot of security and compliance concerns.  So we’re gonna talk to Andy about all of that
and hopefully shed a little light on how difficult it is to run that kind of
program in such a big Fortune 100 organization. 
So, Andy thanks for joining the podcast today.

Andy Weeks: No problem, glad to be here.

Dennis Fisher: Alright, so let’s
start out sort of very basic.  I think a
lot of people know the name of Humana but they’re not necessarily sure what
Humana does.  So give us a little
background on what Humana does and what kind of organization it is.

Andy Weeks: Absolutely. 
Humana is, sort of the short answer, a health benefits company.  We are in the business of insuring that
people are able to get the healthcare that they need primarily through
commercial and government sponsored health insurance.  Most folks may be more familiar with Humana
from our previous business where we’re focused as a hospital company but have
been focused for the last decade or so on the health benefits industry and have
a real focus on bending the trend, helping our customers be better prepared to
make good decisions around their healthcare, reducing the cost of service while
also reducing the cost of benefits to our primary customers and are perceived as
a real leader in that marketplace.  So
the key element for us is to find ways to provide better healthcare at lower
cost.  My part in that is in helping make
certain that all of our stakeholders’ information is adequately secured.  As you can imagine in the healthcare industry
privacy is a major concern.  The safety
of our corporate information is a major concern.  So those are the things that we really focus
no

Dennis Fisher: Okay so your
customers are both individual health insurance holders like me or anybody else
along with healthcare organizations themselves?

Andy Weeks: Generally speaking we have our government
business focuses on Medicare and military healthcare.  We have individual insures who may purchase
health insurance from us and then we have large group customers which would be
your traditional corporate health insurance buys, so via a large company who
would come to us looking to insure all of their employees.

Dennis Fisher: Okay and so
you said you’ve been there for about a little more than six years now and
Humana has been going through a really rapid growth phase for most of that time
it looks like.  What was the information
security program like when you got there six years ago?

Andy Weeks: That’s a great question. 
When I got here we were just in the midst of
building up our HIPAA compliance and so there was a lot of focus on the
regulatory
requirements and the privacy requirements associated with HIPAA.  We
were a fairly immature organization.  Not long after I got there we
started
implementing an annual security program maturity assessment.  We used
the Carnegie Mellon CMM security
maturity model to begin measuring the maturity of our program against
ISO and
we have seen a very steady increase in maturity of our security program
during
that time.  But I would say we were
probably between a 1½ and a 2 on the capability and maturity model when
we
first implemented our enterprise information security program.

Dennis Fisher: Okay and was
that immaturity just the result of it not being a top priority at the time?

Andy Weeks: I think it was a variety of things.  I don’t think we were unusual among companies
of our size in terms of our maturity.  At
that point in time I can even remember that the common quote was build the crunchy
exterior and the soft interior.  Let’s
really focus on perimeter security.  So
there’s a lot of emphasis being placed on putting firewalls on the outside,
getting workstation level controls like antivirus in place, and I think that a
lot of companies felt like if they had those key elements in place that was
really the extent of their security program. 
So it was a very operationally focused view of security rather than
looking at it in a more broad holistic way.

Dennis Fisher: Yeah, that’s
exactly right.  That focus on network
security and perimeter security was I think to the detriment of a lot of things
in the early part of this decade.  It had
people very focused on things that were easily sort of improbable but didn’t
make huge differences in what the overall security posture of the organization
might have been.

Andy Weeks: No question.

Dennis Fisher: So what were
the challenges for you in the security organization dealing with Humana’s
really rapid growth over the last few years?

Andy Weeks: Well several fold, one was to recognize that
we are in a highly regulated industry, a lot of emphasis being placed on the
security of the organization through regulatory requirements and yet as we were
going through growth we did not necessarily see a commensurate growth in
spending on security.  As a matter of
fact one of the key things that we’re focused on even today as an organization
is continuing to leverage the scale of the organization while keeping our costs
in line so that ultimately our administrative costs or our overhead is decreasing
relative to the revenue and so that puts a lot of pressure on building a solid
security program when the requirements for security continue to increase.

Dennis Fisher: So how are
you dealing with that sort of budget crunch there?  That’s a pretty difficult challenge in an
organize your size I’d imagine.

Andy Weeks: Yeah, the key element is to make certain
you’re focusing in the right areas and I mentioned the capability and maturity
model assessment.  That was a real help
to us.  Because we did that based on the
ISO 27002 standard we were able to really hone in on very specific domains
where we were weak.  So by picking out
the two or three areas of weakness we were able to focus our efforts in those
specific areas and apply the limited dollars we had to increase our maturity
and so by measuring that on an annual basis and now we’re moving to a more
continuous basis of measuring that, we’re able to really focus where the dollars
are spent for real value.

Dennis Fisher: Okay, so
trying to get the best value for your money as everybody is in this economy.

Andy Weeks: Absolutely. 
When you spend you want to make certain you’re spending on things that
have real impact.  I think the second
thing that we did was change from a data security or a network security based
view towards a more information security based view which says that at the end
of the day no matter how well you protect the perimeter and no matter how well
you protect the network and how well you protect the end points, if you’re not
protecting the information, whether that’s at rest or in transit, you’ve really
not done your job and so changing that focus was a real challenge for us but
one that ultimately has paid great dividends.

Dennis Fisher: So what were
those specific areas of weakness that you ended up focusing on, the two or
three areas?

Andy Weeks: Well you can look at a number of different
elements of the program that we really have focused spending time on.  Operational security, as I mentioned earlier,
is something that I think we actually did pretty well.  But if you start looking at things like how
we handled our incident management process, that’s an area where we’ve made
tremendous progress and again, that’s fairly operationally focused.  But then you start moving into things like
how do we bring awareness to our associates so that they are starting to make
good decisions about the information? 
What are we doing around data classification?  Do we know exactly what is in the data that
we’re protecting so that we know where we can start to focus our most intensive
efforts from an information protection perspective?  That’s another area where we’re really trying
to make progress.  So, moving away from
that sort of operational focus, not because we’re not emphasizing it but
because quite frankly we’ve got solid technologies in place there, towards more
of an awareness based program is where I think we’ve seen the most benefit and
most progress in the last couple of years.

Dennis Fisher: Okay.  Yeah, you mentioned sort of employee
awareness stuff.  There’s a big push for
that maybe in the last four or five years, getting employees involved in the
whole security program and making them part of the solution to the problem and
I kind of hear this cynical view in the industry that that’s never really
worked and user education is just kind of a waste of money because they’ll
never really get it.  They’re still going
to open malicious emails and download applications from the internet that are
going to wreck their computers.  So it
sounds to me like you’ve had a little bit of success with that.  How much of that security awareness and user
education do you guys do?

Andy Weeks: Well I think the real key here is sort of a
traditional awareness program is based on this concept of let’s put newsletters
out there, let’s do email blasts, let’s put pages out on the intranet and of
course we do all of that.  But I think
the real point of the spear from our perspective has been in getting to real
time point of use education.  So by using
some of the end point security tools that we’ve got in place we’re able to
actually give real time feedback to our associates that says what you’re getting
ready to do is potentially risky, are you sure you want to do this, or in some
cases even what you’re getting ready to do is so risky that we’re going to
prevent you from doing it but let us tell you why we’re preventing it and then
by giving them that real time education you’re not depending on uptake.  You’re getting them at the point of
behavior.  Therefore it’s a much more
realistic and real lesson to them.

Dennis Fisher: That’s an
interesting point.  I haven’t heard many
people who have implemented that kind of thing because a lot of times you’ll
see these tools that will just say no you can’t do that but the end user has no
idea why they can’t do that or why they shouldn’t do that.

Andy Weeks: Exactly.

Dennis Fisher: So have you
found that that’s made a difference with your employees?

Andy Weeks: Oh there’s no question.  In those very specific areas where we have
been giving point in time information and we are now measuring the behavior
we’re seeing a down tick in those kinds of behaviors.  A lot of companies, I think you’ll be familiar
with this, those who have put in place for example web filtering technologies
definitely see if they measure the sites that folks are going to they’ll see
that when they implement active blocking that the number of attempts to go to
those sites goes down because of that real time feedback.  But to your point if you don’t tell them why
you’re blocking it, it’s kind of a cynical behavior change if you will, like I
know I can’t go there, you’re blocking me, but I don’t really know why and as a
matter of fact I’m going to work hard to try to get around the controls that
you’ve put in place.

Dennis Fisher: Right,
that’s exactly right.

Andy Weeks: We’ve even had folks within the business
who’ve said I’m going to send people home to be able to get to websites that
are blocked and what we’d rather they do is say hey, let’s engage in real
dialogue.  Let’s try to talk about why
someone is trying to go someplace that normally we would block and come up with
reasonable and secure alternatives rather than trying to just get around the
system.

Dennis Fisher: Yeah, it’s
an excellent point.  I think more
organizations should do that.  They’d
find themselves with less annoyed and more successful employees I would
imagine.  So given that you guys are in
the healthcare industry and compliance is such a huge part of what you do, do
you even separate compliance versus information security these days in terms of
what you’re focusing on and how much of your time is spent on one versus the
other?

Andy Weeks: That’s a really good question.  We kind of have a catchphrase that we use
within the organization and that is compliance is not the objective, it’s the
natural result and what that really reflects is we are not out there trying to
just achieve compliance at the expense of good security practices.  We really operate from a perspective that
says you know if we do the right things from a security standpoint we’re going
to be compliant.  Now, that doesn’t mean
that you can’t go out and that we don’t have an obligation to understand what
the regulatory requirements are and make certain that we’re meeting those.  But if we do that in the context of a broad
security program that again is another tactic that we use to best leverage the
limited dollars that we have for information protection.  We’ve done that through the establishment of
a common security framework and that framework incorporates not only the regulatory
requirements. They also incorporate best practices and that starts with some of
the published industry best practices out there.  It’s organized for example around the ISO
standard.  It’s also incorporating
high-trust which is the health industry approach.  It would be very similar to PCI.  Let’s take all of the health industry
requirements.  Let’s come up with a
common set of standards and if we could all find ourselves compliant with that
high trust framework them we will have common level of information protection
across the entire healthcare industry and so that’s another key element of that
framework and then obviously building in the contract compliance requirements
that we have coming from our customers as well, pulling all those together into
a single framework really allows us to be much more cost effective and more
just overall effective in how we deliver those information protection
capabilities.

Dennis Fisher: Yeah, so for
a business like yours in which the data that you hold is really essentially
what your business is, the value and the integrity of that data is just a huge
part of what you guys do, you see all these data breaches that happen.  How much of a concern is that to you and how
do you go about protecting those databases? 
That’s got to be huge.  It’s got
to be right at the top of your list of priorities I would imagine.

Andy Weeks: Oh absolutely, the thing that keeps me up at
night is the concern that I’m gonna find out that the information that we’re
trusted with, which if you think about it, this is very personal
information.  If you’ve got an insured
member’s health information, that is some of the most sensitive information in
anyone’s life.  If that were to be
disclosed, we’re talking about a real issue that is the core of what we’re
trying to prevent and so looking at where we have that information stored,
making certain that we understand where our point of weaknesses are so that we
can effectively address those is one of the key pieces of our program.  So as I look, for example, at our database
environment, being able to assess where the information is contained is the
first step there.  Once we’ve established
where the information is contained, understanding where we have vulnerabilities
is the next piece of that and then finally putting together a strategy for
addressing those vulnerabilities.  That’s
almost a feedback loop, continuous activity to be able to understand the
information, understand the weaknesses, address the weaknesses, and then
continue to measure that and that’s the process that we follow on a day to day
basis.

Dennis Fisher: Has the sort
of explosion of the smart mobile devices like smart mobile phones and
Blackberries and iPhones and those sort of things, how much more difficult has
that made your job in terms of protecting the data at every point?

Andy Weeks: That’s something that we’re watching very
closely.  At this point there is just a
little bit of push towards mobility in the health industry.  The point of use of the information is at the
point of use of the service.  So for
example most people don’t think about their health information unless they’re
in their doctor’s office or they’re in the emergency room.  What we’re now beginning to see is an
increasing need for mobility around that. 
So as you walk into a health clinic for example the ability for someone
to carry with them their electronic medical record is something that is very
exciting from a healthcare perspective but also very challenging from an information
protection perspective. So being able to have a handle on the information
protection, where it lies as it’s moving and as it becomes more mobile is going
to be a real challenge for us over the next couple of years.

Dennis Fisher: Okay, have
you put in any sort of restrictions on the types of devices that you want to
deploy in your organization?

Andy Weeks: Today we have a very limited number of mobility
devices that we utilize that are very policy based.  It allows us to control the movement of information
and so that’s one way that we’ve approached that and I think long-term that’s
probably not scalable.  Long-term we’re
probably going to need to look at how we can be more open about the devices
that we support for example.  Maybe from
a corporate perspective we’re only talking about 30,000-40,000 people’s
information that we need to protect when we look at it from an employee
perspective.  But when you scale that out
and look across our entire subscriber base, you’re talking literally millions
of people who have access to information that we need to control and so that’s
where it’s going to be very interesting on a long-term basis in terms of how we
manage that flow of information.

Dennis Fisher: Yeah, and
especially since you guys are subject to so many government regulations.  You’re going to have to take those into
account when you look at those policies as well.

Andy Weeks: Absolutely, absolutely.

Dennis Fisher: Alright,
well Andy listen, I really appreciate your time.  Thank you so much for
doing this.  I think it was excellent.  I think the listeners should
get a lot of
good information and good ideas from what you guys are doing at Humana.

Andy Weeks: Well I appreciate your time and enjoyed
sharing at least a little bit of what we’re doing.  I hope it’s helpful to those folks.

Dennis Fisher: Absolutely.  Thanks again Andy, take care.

Andy Weeks: Alright, take care.

Dennis Fisher: Bye.

Andy Weeks: Bye-bye.

Suggested articles

Q&A: Larry Whiteside on the Pressures Involved With HIPAA Compliance and More

Dennis Fisher: Okay, welcome
back to the Digital Underground podcast. This is the second in the
series of
CSO podcasts that I’m doing and I’m really excited.  I’ve got Larry
Whiteside on the phone.  He’s the chief information security officer
at the Visiting Nurse Service of New York. 
So we’re going to talk a lot about what specific issues he faces in his
day to day job, how they can apply to other CSOs in other industries,
and what
we can all learn.  So Larry thanks a lot
for being on the podcast.

Q&A: Bob Maley on Designing and Implementing a State-wide Security Program

Dennis Fisher: Welcome to
the Digital Underground podcast. This is the first episode in what’s going to
be a series of podcasts with CSOs from states around the country. We’re going
to be discussing the unique challenges of running an InfoSec program in the
public sector and what lessons enterprise security staffs can learn from their
counterparts in government. So my guest today is Bob Maley, the chief
information security officer of the commonwealth of Pennsylvania. So Bob,
welcome to the podcast.

Q&A: Ed Bellis on Web-based Business and Software Security

Dennis Fisher: Okay, welcome back to this CSO series podcast, also known
as Real World Security.  My guest today is
Ed Bellis, the CISO of Orbitz Worldwide, one the top travel sites in the
world.  Ed’s got a pretty broad range of
experience in the technology industry, having worked as a web architect at Ford
Motor Company, and a manager at Ernst & Young before getting into the
security world as a V.P.