#RSAC: From Small-Time Criminals to Nation-States: How the CISO’s Role is Changing

Just one year ago, Tom Baltis, the Chief Information Security Officer at Blue Cross Blue Shield of Michigan, was primarily concerned with threats coming from “small-time cyber-criminals.”

“Today,” he said, “We count the government of China as one of the primary threat actors we have to contend with on a daily basis. The access to resources they have, the level of patience and motivation is very different from what we used to have to defend against.”

Baltis was speaking on a CISO panel at the 2016 RSA conference in San Francisco, discussing lessons learned and how those lessons can help prepare people for what comes next. The Blue Plan Baltis protects provides health insurance to about six million people in the state of Michigan. He said that as risk factors grow and evolve, they create a perception problem alongside the technological issues.

“In the insurance industry, we talk about being in the business of trust,” he said. “The level of trust our customers have in us has eroded significantly. It has become our challenge to restore and bolster that trust.”

He advocates an agenda of “aggressive innovation,” focused on obtaining new technologies and techniques, including funding their development where necessary. This strategy must be aligned with continual dialog with customers – not only to keep them informed, but also to make them part of the solution.

Randy Marchany, the CISO at Virginia Tech identified parallels in the education sector. His institution also contends with new cybersecurity threats that he described as a “shift from a teenage hacker with a ponytail and flannel shirt to a nation-state.”

It’s not just who’s hacking that has changed – today’s cyber-criminals also have different goals.

“They don’t want to get in and get data right way – they want to stay in there for a long time,” he said. “Our goal is to protect sensitive data no matter where it is.”

At a university with 30,000 students, each of whom wields an average of five devices, that data is all over the place.

In those circumstances, Marchany said, firewalling the network wouldn’t do much good. Instead, every device must run a script that sets up a local firewall before it can join the network. Even then, Marchany said that while firewalls might great for detection of threats, they’re not effective at protection.

He said his security efforts focus more on outgoing traffic than incoming.

“Encryption doesn’t bother us too much,” he said. “Even if we can’t read the content, if it’s going to a bad site, it’s bad.”

Marchany’s focus on education makes him as interested as Baltis in encouraging users to own their role in protecting devices and data.

“We’re sending people out in the world,” he said. “My overall goal is that I want them to understand they have a responsibility for security as well.”

What’s Hot on Infosecurity Magazine?