Exploring Risk Assessment and Management, Challenges, Emerging Technology and Multilayered Defense

By Othello Dixon, Information Security Officer, Virginia Department of Health

Risk Assessment & Management
Risk assessment and management aim to reduce, monitor, and control risk to an acceptable level based on an organization’s risk tolerance and resources. Risk assessment and management processes help organizations identify, evaluate, and mitigate potential risks to achieve their objectives while minimizing adverse outcomes.
When it comes to risk management, organizations need to define their level of risk tolerance – the level of risk they are okay with while trying to achieve their goals. Communication of risks and risk management strategies is crucial to ensure all stakeholders understand and participate in the process. VDH (Virginia Department of Health) is leveraging the GRC tool to give leadership visibility into our risk postures. This will help us make informed decisions.
We are developing a culture that values risk awareness transparency and adopting a proactive stance toward risk management. Prioritizing risks, putting protective measures in place, and having a solid plan for responding to incidents are crucial steps in reducing the consequences of security events that organizations cannot fully remediate. A GRC tool will help an organization’s Risk Assessment and Management program, allowing the organization to efficiently track, assess, and mitigate risks, enabling proactive decision-making and maintaining a robust information security posture.

Defense in Depth is a multi-layered approach that involves implementing security measures at different levels of an organization’s network and infrastructure.

Challenges you faced while adopting any of those technologies at your premises.
I arrived at VDH in June 2020 as a new ISO, with new opportunities on the rise. It was during the COVID-19 pandemic when employees were transitioning to remote work. Ensuring the confidentiality and integrity of sensitive data became more complex as the traditional security perimeter extended to various home networks, requiring the ISO to navigate and mitigate risks associated with diverse and potentially less secure environments. Balancing the need for increased flexibility and remote access with maintaining robust security measures posed a continual challenge because I had to adapt and protect VDH data. I sometimes face specific hurdles due to the sensitive nature of healthcare data and the critical role in ensuring data security and compliance. VDH is a HIPPA- Hybrid organization; therefore, my primary goal is to protect the confidentiality, integrity, and availability of VDH data. I could not do this by myself; it was a team effort.
Data is the new gold, so threat actors constantly find new ways to steal data. Cybersecurity threats are persistently evolving, and so do I. I stay on top of the latest vulnerabilities and latest threat intelligence. Additionally, conducting regular security assessments, vulnerability scanning, and staying vigilant for emerging attack vectors help us stay one step ahead in protecting VDH data.
With remote work, ensuring that data is shared securely was a challenge. VDH and most agencies partnered with VITA (Virginia Information Technology Agency) for additional VPN access. This ensured VDH employees were accessing the network via VPN, which was very secure.
Another challenge is the Human Error. Recent statistics from Sandford University show that 88% of all organizational data breaches are users’ fault. User errors are addressed through Security Awareness Training. VDH has a solid Security Awareness program with a 99% user completion rate. In addition, we sent out weekly Security Tips to employees, educating them about cyber threats. I introduced the Cyber Talk Series 3.5 years ago to inform VDH users of Security Best Practices and Security Awareness. We invite speakers to speak to VDH employees on different topics. This has been very helpful for VDH users. At times, we make it fun by doing an Escape Room where employees play and learn simultaneously.

Positive and negative impacts of emerging technology
Artificial Intelligence (AI) has changed how we live and work, bringing about both positive and negative impacts on society. On the positive side, AI has significantly improved efficiency and productivity across various industries. Implementing automation and machine learning algorithms has enhanced process efficiency, minimized human errors, and conserved valuable time and resources.
In healthcare, AI aids in diagnosis and treatment planning, potentially saving lives. In transportation, companies use Computer Vision for their self-driving vehicles, which promise safer and more efficient roads.
AI has also transformed customer experiences through personalized recommendations and virtual assistants, enhancing user satisfaction. Moreover, AI has made strides in scientific research, assisting in data analysis and drug discovery.
However, the rapid development of AI has raised concerns. Job displacement is a prominent issue, as automation threatens specific roles. Robotics Process Automation (RPA) works 24/7, 365 days a year, is faster, and has a higher accuracy level than humans.
Privacy concerns arise as AI algorithms collect and analyze vast amounts of personal data. Ethical dilemmas emerge when AI biases and discrimination in decision-making processes are revealed. Additionally, the potential for misuse in the form of deepfakes or autonomous weaponry is a troubling aspect.
How do you determine who is accountable for deaths caused by self-driving cars? A substantial 736 Tesla crashes involving Autopilot mode and 17 deaths have been reported since 2019.
AI’s positive impacts on efficiency, innovation, and problem-solving are substantial. However, society must address the negative consequences, including job displacement, privacy infringements, ethical concerns, and potential misuse, to ensure AI’s continued responsible and beneficial development.

A topic that aligns with your interest – Defense in Depth.
Despite being an older concept, defense in Depth remains crucial for robust cybersecurity strategies today. Defense in Depth is a multi-layered approach that involves implementing security measures at different levels of an organization’s network and infrastructure. It thwarts attackers at various stages of an attack, reducing the chances of a successful breach.
The first layer of defense typically involves perimeter security, like firewalls and intrusion detection systems (IDS), to filter out and block malicious traffic before it reaches the organization’s internal network. Beyond this, network security measures, like VPNs and network segmentation, ensure that attackers face additional hurdles even if they get past the initial perimeter. Further into the network, host-based security measures are implemented to secure individual devices, including servers and endpoints, through antivirus software, patch management, and secure configuration. Finally, data protection is critical, so encryption and access controls are needed to safeguard sensitive information.
With the partnership with VITA, VDH machines have all the layers of Defense in Depth. Continuous monitoring and incident response plans are integral components of defense in Depth, as they help identify and respond to threats in real time. VDH has implemented Splunk, a centralized platform for collecting, analyzing, and correlating data from various security tools and sources. This allows us to gain insights into our security posture, identify anomalies, and respond swiftly to potential threats, strengthening multiple layers of defense across our infrastructure.
The defense-in-depth approach has a proactive and holistic way of connecting different security layers to create a more resilient and adaptive security posture in the face of an ever-changing threat landscape.

Closing
To have an effective security program, you need leadership support. I have VDH leadership’s full support. I see myself as a business enabler, helping the business by aligning security practices with the business goals.