“I’d been there seven months and threw my name in the hat, and I got it. I had done some information security work in the army, so with that background I was able to understand and apply previous security knowledge and practices. Since then, we have been working hard to improve the security posture and maturity of the organization and haven’t slowed down yet – building the programme from a regulatory and technology capability perspective.”
Devin Shirley is a man who has taken on significant responsibility in his post-military life.
As the inaugural Chief Information Security Officer (CISO) at Arkansas Blue Cross and Blue Shield, the largest health insurer in the state, he is responsible for ensuring the organisation’s cyber defences stand strong in today’s intense threat landscape.
His team, which has grown steadily since stepping into the role in 2016, covers the security programmes for six separate areas of the business, a structure which continues to grow and mature.
“Previously, security was decentralized and had recently merged, reporting directly to the CIO,” Shirley says. “My job was to mature the programme to ensure the organization was in the best possible position to protect itself. The healthcare field continues to be one of the major sectors impacted by malicious attacks.”
Securing trust
Today’s threat landscape is ever-evolving. As an example, Shirley explains how ransomware attackers are becoming more creative in how they access, encrypt and demand payment for the release of data.
While he states that financial services companies and governmental organisations may be more lucrative targets, sensitive healthcare information can also be leveraged to achieve malign ends, especially when it comes to certain individual patient records.
“Let’s just use me as an example,” Shirley says. “On the face of it, no one cares that Devin had a back X-ray two weeks ago, but maybe I’m sensitive to that information, making me vulnerable to attackers. Maybe I didn’t want someone to know.
“The key message is that you have to protect all the data. Bad guys don’t care what the data contains – they just publish it in hopes of capitalizing on it.
“We also need to look at the regulatory aspect because it is controlled with HIPAA, with other states working on standards similar to what GDPR has tried to accomplish.
“Beyond that, there’s the financial and reputational considerations. It really is like a domino effect – one thing happens, and it could roll downhill and continue to have a negative impact in many other areas.”
Securing the data of Arkansas Blue Cross and Blue Shield customers, known as members, is therefore critical to the integrity of the entire organisation.
Shirley views the company as custodians of data in this regard. Its members own the data, and it is his job to ensure it is used in the right way, by the right people, within the insurance and medical domain.
This can become complicated given the hyper-connected world we now live in – people can choose where their data goes and what apps and programs can access it.
Shirley explains: “Now we have to coordinate with third-party software developers and make sure that they’re doing their due diligence to protect the data. Even though it leaves our environment, we try to work with those third parties to ensure they look for and secure the data to ensure the best end-to-end protection is provided.”
This is all built on trust between insurer and member, and Arkansas Blue Cross and Blue Shield has been working tirelessly to gain the trust of the Arkansas community, not least in its efforts to become HITRUST certified.
HITRUST is a highly-acclaimed certification that combines several key security frameworks, acting as a formidable proof of commitment to safeguarding medical information. Shirley presented it with several systems to be certified, which represented one of the largest initial scoped certifications HITRUST had seen – an exercise which the CISO recalls as being extremely intensive to complete.
This covers every aspect of the organisation and is subject to recertification every two years, meaning Shirley and his teams must remain vigilant at all times.
“HITRUST is a culmination of all the good work we have done over the past few years,” he says. “The formulation and maturing of the overall security programme reflect the maturing we’ve had to go through to really create a proper security department.”
People power
Building the department has not come without its challenges, however.
When asked about the hurdles currently facing Shirley and the cybersecurity sector more widely, the CISO turns to the topic of skills shortages in the USA.
According to the International Information System Security Certification Consortium (ISC)2 Cybersecurity Workforce Study, which analysed 11 major economies (including the USA), there are at least four million more professionals needed to fill public and private roles.
It is also an urgent problem. Every 39 seconds a cyberattack occurs somewhere in the world costing an average of $13 million, the cumulative global value at risk between 2019 and 2023 around $5.2 trillion.
“This was an issue well before COVID,” Shirley adds. “Part of it’s just the knowledge, part of it is people don’t want to do it as a job – and those who can do it, can’t do it everywhere.
“Getting people trained with the right skillset, being able to compensate them appropriately so that someone else doesn’t steal them away from you… that is the challenge of retaining skilled resources.
“I have to be careful to make sure we maintain appropriate skills and account for possible attrition. People coming in and get trained, spend one or two years and go out again. I mean, it’s great for them, great for their career, but it keeps us on our toes of having to understand the impacts to our organization.”
Arkansas Blue Cross and Blue Shield invests heavily in training and development, nurturing career paths for its employees to limit the churn that Shirley refers to. It also ensures his team are as highly qualified and proficient as possible, crucial if the battle against cyber attackers is to be won.
Being a strong leader also helps on both of these fronts.
Asked what makes an effective CISO, Shirley responds: “Flexibility, for sure… being able to adapt to changing situations every day. That could be business changes, technology changes, or personnel changes.
“On top of that, creativity with how we can approach a particular problem in a different way so we can optimise our resources, optimise our capabilities and still achieve the end goal, but do it in such a way that it’s not going to hinder the performance of the company.
“I could fully secure the company by removing all the computers, and write everything down on legal pad. At the end of the day, you put pen and paper in a safe and you walk away, and no one will ever steal our data. We won’t last a week, but we are secure.”
Looking ahead
Indeed, cybersecurity, in the eyes of Shirley, is a constant balancing act that is subject to flux and change on an almost daily basis.
The CISO is proud of where he and the team have come in the space of five years, and the future looks set to provide even more challenges that they must rise to in order to protect the company and its members’ data.
The regulatory and compliance landscape, for instance, will be something Shirley keeps a very close eye on – particularly around requirements for privacy and making data available to multiple entities and third parties. And as Arkansas Blue Cross and Blue Shield evolves into more of a health-solutions-orientated organisation, so too will its cyber landscape and cybersecurity programme to enable information to flow as needed.
“On the technical side, we’ll be looking at hackers in more detail,” Shirley adds. “What are they trying to do? What are their tactics and procedures? What are they trying to accomplish?
“I also think we’re going to see more attacks that are based on AI and the cloud, and we’re going to have to use our own AI to combat that.”
These are all ways that Shirley intends to mature the cybersecurity function moving forwards, the CISO likening his role to a protector akin to his military days. Indeed, this is the aspect of the job that keeps him engaged on a daily basis, applying his learnings from the armed forces and experience as a self defence teacher to the corporate security world.
“I’m in this role to really make a difference in not just the bottom line with money, but as a form of protector… I can’t think of another way to say it,” he says, bringing the conversation to a close.
“You’ve got to keep that vigilant eye and be alert. That makes it very dynamic. I told my wife that this is probably the first job I’ve had where I just love the role. They say if you love your job, you don’t work a day in your life. A lot of times I feel that’s true.”