CDW Protect Summit Moderator Bob Bragdon (l), discusses evidence-based security with Penn Medicine CISO Dan Costantino.

Aug 20 2019

At Penn Medicine, Decisions About Cybersecurity Are Driven by Data

The Academic Medical Center’s CISO says evidence-based security works.

Most organizations’ cybersecurity programs follow a familiar pattern: First, do what’s required. Next, do what’s recommended.

“But what happens after that is kind of the wild west,” said Dan Costantino, CISO at Penn Medicine in Philadelphia. “You get to a roomful of security professionals who are making recommendations that everyone just assumes are correct.”

Too often, Costantino told attendees of the CDW Protect SummIT in Philadelphia, organizations simply implement solutions based on what their peers are doing, without knowing how effective those actions are. Or, they deploy whatever they believe is state of the art. By implementing evidence-based security at Penn Medicine, he’s adding a third layer to his organization’s strategy: Do what works.

­“If you look at what most security programs do today, they start with compliance: They make sure that they’re complying with all applicable laws and regulations in their industry,” said Costantino. “Then they move on to framework alignment, meaning they pick a cybersecurity framework that makes sense for them, and they make sure that they’re aligned with those recommendations.”

MORE FROM BIZTECH: Update your cybersecurity response plan before an attack occurs.

Data Analysis Is Critical to Effective Cybersecurity

As a large academic medical center in a major metro area, Penn Medicine confronts a number of unique cybersecurity challenges. Unlike many businesses, it cannot shut its network down for several hours to deploy a new solution or conduct maintenance. It employs 40,000 people working in six hospitals and 10 specialty centers across the Philadelphia area, and its network is also accessed regularly by professionals who are not employees, such as independent physicians with admitting privileges.

For the academic medical center, evidence-based cybersecurity means aggregating information from several external sources and then comparing it with their own data. Costantino said his team pays close attention to the Verizon Risk Report and other well-regarded cybersecurity research. At the same time, they carefully analyze their own security data to determine the efficacy of their actions.

That helps keep Penn Medicine focused on doing the things that the data suggests are most crucial to keeping its network safe.“If you look at how other programs are built, they’re built on compliance and alignment, and then they’re built on what everyone else is doing,” Costantino explained. “You see a lot of people asking: ‘What are you doing? How are you solving this problem?’ And that’s great; we certainly look at what others are doing too. But most important, what we’re doing is what the evidence says is the best next decision specifically for Penn Medicine.”

CDW Cybersecurity Insight Report

In Cybersecurity, the Fundamentals Are Still Key

Some security professionals might be surprised by what that evidence suggests. While others are deploying sexy solutions, such as those driven by artificial intelligence, Costantino said the cybersecurity challenges at Penn Medicine are more prosaic, according to the data he sees.

“The evidence says that people still can’t help themselves, and they click on those phishing emails,” he explained, and that employees continue to make various other mistakes with data security. “So the evidence really comes back to the fundamentals in a lot of ways.”

The success of a cybersecurity program is always hard to measure. For a large and complex organization like Penn Medicine, the challenge is even greater. Yet one key advantage of evidence-based security planning is precisely that Costantino and his team can observe how well its actions are performing.

“Ultimately, we can see how well we’re making decisions for Penn Medicine year after year,” he said. “If we’re driving phishing down and moving patching up and getting people to stop moving data into places where they’re not supposed to, then you know you’re moving forward in the right way.”

But while Costantino believes in the value of data to drive effective security decisions, he said it’s important to balance what the data suggests with what his experience tells him. There are times, he said, when the data is “telling you something that doesn’t feel right,” and in those cases, “you have to let common sense prevail.”

Check out our event page for more articles and videos from the CDW Protect SummIT.

Photography by Bob Keaveney

Zero Trust–Ready?

Answer 3 questions on how your organization is implementing zero trust.