Ian Schneller saw the dramatic rise of information security threats firsthand during a 23-year career in the U.S. Air Force dedicated to cyber defense and cyber warfare.
Schneller joined Health Care Service Corporation (HCSC) this year as the company’s chief information security officer (CISO). Before making the jump to the health care industry, he was an information security leader for two multinational banks, as well as CISO of a multibillion dollar financial services firm.
"We must be ever vigilant and focus on information security as an enterprise capability to help protect our employees and members."
With Cybersecurity Awareness Month underway, Schneller shares his perspective on the modern threat environment — and how HCSC and its employees work to protect the data of its members and other stakeholders.
You got into cyber defense as a young officer in the Air Force. How did you get on that path so early?
I entered the Air Force hoping and wanting to be a pilot. Along the way in the late 1990s, the Air Force determined that they didn’t need as many pilots and I needed to take a different career field.
My undergraduate degree was computer science, and I was able to say, what I really want to do is combine cyber security with intelligence capabilities. And that resulted in starting a very fun and rewarding career that lasted over 20 years.
What was the technology like at that time?
When I first joined the Air Force, we didn't have email addresses other than within the office. It was a brand new thing and the World Wide Web just really didn’t exist. As a society we hadn't yet figured out the extreme benefit, risk and the intelligence value of that new technology. But I intuitively knew it was something I wanted to learn more about, combining these disciplines of new technologies into new intelligence capabilities
Your work included offense in addition to defense. Is it useful in cybersecurity to understand the mindset of an attacker?
The unique attacker perspective helps prioritize risks. Which vulnerability would an attacker take advantage of with a real likelihood of achieving their objective? Throughout my career on the defensive side, I’ve used that mindset to figure out which vulnerabilities we need to address first as those are the most likely ones to be exploited by a threat actor.
After the Air Force you were a cybersecurity leader for large banks. Can you describe what it was like to make that leap?
One common thread is you’re continuously under onslaught of cyber threats, trying to gain access to and/or harm your information and/or systems. That’s a constant from big banks to health care to government.
Coming into a big bank after a career in the government was different in many ways. You have different regulations, different rules, and a different culture. But the business model is something I really had to concentrate on. How do we make money? What’s on the minds of the leadership? You’re constantly learning because you have to be able to speak about the impact to the business.
In the Air Force, it was being able to get planes off the ground and delivering their cargo or their munitions where they need to go. Now at HCSC, it’s the ability to help ensure that we have uninterrupted care for our members.
How would you describe the threat environment in health care?
We are a target with a very capable and highly motivated adversary, which isn't much different from the financial sector. We have vast amounts of information that’s highly sensitive.
The thing to keep in mind is these cyber threats aren’t loose knit organizations of a few people working in the basement of somebody’s building. They’re run like Fortune 500 companies. They have a staff. They hire, they fire, they promote. They have pizza parties in the break room when a large company is hacked. They have research and development that’s focused on doing nothing other than getting around technical controls.
We must be ever vigilant and focus on information security as an enterprise capability to help protect our employees and members.
How does HCSC’s Cyber Fusion Center help us monitor and fend off attacks?
The Cyber Fusion Center is really the day-to-day heartbeat of information security. It allows us to detect if something is not right, rapidly respond and then recover. Just the nature of the environment is things happen every day, all day.
Can we count on technology to stay ahead of the threats?
Despite a company having the best technology and the best processes, the adversary will find a way around that. And that’s why we always say in annual training and engagement campaigns: We all have a role in information security.
You are the first person who might be able to detect something is not right. A phishing message. Your computer slowing down. That’s why it’s so important to recognize it and report it. We all have the ability to help stop an attack.