I’m Jim Routh. I’m the Chief Security Officer of Aetna, and I’m also the Chair of the National Health ISAC, and I’ve been working with trusted email capability for probably nine years.
Email today is the number one threat vector used by cybercriminals of all shapes and sizes, and with different motivations. It’s largely because it’s an interface with people. It takes a minute and 22 seconds for the phishing email campaign to be successful and have a victim. That means that it’s going to continue. It’s inevitable. It works. It’s effective. So, it’s not going away, and like any other aspects of security, the enterprise today needs capability to fight back, needs capability to adjust tactics, needs to understand the intelligence behind the tactics that are being used, and the capabilities to add trust back into the email ecosystem. That is fundamental to every agenda for every chief security officer today.
Well, the number one challenge of what enterprises face today is if you look for authoritative sources in the security industry for guidance on the appropriate mitigation for preventing phishing, the recommendation is education. And if you break down that education, it’s education to teach people not to trust that an email is coming from a colleague, which breaks down the whole enterprise in terms of its culture, because you’re extracting trust from the email ecosystem, as opposed to putting controls in place that add trust.
I think the latter is a much better investment that’s sustainable, and anybody can be fooled by that email, anyone. That means that we’ve got to do a better job of putting controls in place that inject trust into the ecosystem as opposed to extracting it.