Memorial Sloan Kettering Cancer Center (MSK) has been selected as one of IDG’s Computerworld 2019 Best Places to Work in IT. MSK ranked No. 26 among large size organizations and top 10 for our benefits package.
Close-Up: Information Security at MSK
When you visit the office of Mike Czumak, MSK's Vice President and Chief Information Security Officer, you're immediately struck by the serenity of the space. The lighting is low and the atmosphere is calming — a surprising contrast to the intensity of the work being done. If it weren't for the glow from the three computer monitors, it would be almost relaxing.
Since taking the reins of the Information Security Office in 2015, Mike has sharpened the group's focus and raised its profile. He sees its mission as twofold: to protect MSK, its patients, and its staff from cyberattacks while simultaneously enabling employees to do their best work.
"It's easy to protect if that's your only goal — you can just shut down and unplug everything," says Mike. "But we are intent on helping departments and individuals achieve their objectives."
Toward that end, he's also given the group a friendly nickname: InfoSec.
Mission: Protect and Enable
InfoSec is part of the Information Technology Department but has its own specific mission and 15 staff members with highly specialized skills. The team has three sections: Governance and Strategy, led by Will Pustorino; Enterprise Security Management, led by Bryan Mauro; and Security Operations, led by Andrij Kuzyszyn.
Although each section has a unique focus, the team is united by a passion for its collective mission. "The Pit," another dimly lit room, provides a telling glimpse into InfoSec's dedication to protecting and problem solving. It's a hive of activity where team members, surrounded by empty coffee cups and soda cans, field calls and emails from employees with security concerns and try to provide solutions. Denizens of the Pit are quick with smiles and jokes when Mike stops by with a visitor, but they all keep one eye on their screens, intent on ensuring that the work of MSK goes forward without a hitch.
A recent occurrence that sent the InfoSec team into high gear took place in the first quarter of 2018 when MSK endured a "spear-phishing" attack, defined as an attack that seems to come from a trusted sender. In this case, the attacker sent a targeted phishing email to hundreds of employees. The email asked recipients to open an attachment, which then led to a phishing site designed to steal their login credentials.
The InfoSec incident response team leapt into action by blocking the sender and the malicious web link contained in the message and removing the message from employees' in-boxes. The team also used a tool called Splunk to determine whether any employee had clicked on the malicious link.
Ideally, this is how it works: Threats are identified and sidelined before they do any damage to MSK. Toward that end, InfoSec oversees several preventive measures:
1. Incident Response
Every day, the team responds to attempts to breach MSK's data security. The most common threat is from phishing, or emails sent with the intention of tricking employees into divulging private data or information, such as credit card numbers or passwords. But efforts to steal data are not confined to email.
Incident response often involves collaboration with other departments, including Legal, Privacy, HR, Communications, and Physical Security.
A major area of focus for InfoSec is conducting assessments. MSK requires assessments anytime an employee is introducing or changing a technological tool or platform or providing information or MSK systems’ access to a vendor. From InfoSec's perspective, assessments are the perfect time to nip problems in the bud.
"During an assessment, we often uncover issues that we can fix before they become huge problems — and we see that as a big win," explains Mike.
According to Will Pustorino comparable assessments on the open market can cost upwards of $40,000. "Everyone," he says, "even our vendors, benefit from knowing what the risks are with any project."
The key is bringing InfoSec on board early in the process.
"Our goal is not only to protect our patients, who have enough on their minds without worrying about identify theft and data leakage, but to protect our staff as well. “
"We can help our staff do their jobs more effectively — but only if they loop us in to what they're doing," he continues.
3. Raising Awareness
The business of being looped in is of paramount concern to Will. His team provides training on such topics as security policy, desktop and password security, phishing, hoaxes, and malware. InfoSec also manages a robust community on OneMSK that offers a wealth of resources and tools to help employees learn how to keep their data safe. Resources include tips on social media, a weekly blog, videos, printable infographics and more.
Growth, Change, and Challenge
Growth at MSK is not just about head count. The increase in new affiliations between MSK and other organizations is another aspect of growth that presents its own challenges.
"New kinds of relationships, like those forged through the MSK Cancer Alliance, may include data exchange and the integration of systems, which can pose a risk," says Mike. "They also raise the prospect of employees from outside organizations potentially having access to MSK data. How do we bring the same level of awareness to them that we've strived to establish among our own workforce?"
The different ways that employees now work, such as telecommuting, also require a new security construct, particularly when employees use their own laptops or phones for work.
Ultimately, employee awareness is critical. "Every employee at MSK should think before they open an email or click on a link," reminds Mike.
From Military to MSK
Mike is not new to protecting critical information. Before joining MSK, he was in the Air Force where he worked in network operations. By the time he left his first duty station, he was running the Air Force's equivalent of MSK's Data Center.
Eventually, he went on to the Air Force Institute of Technology, where he earned a master's degree in both information assurance (the Air Force's name for information security) and strategic information management.
For many years, Mike and his wife, Amy, moved around the Midwest several times. When he was ready to settle down, MSK was the only place he applied.
He said: "I wanted to find a place where I'd value the mission as much as I did in the Air Force. MSK is that place."