Profile: Brian Miller, CISO, Healthfirst

VIEW BRIAN'S FULL PROFILE

FROM NASCENT SECURITY PROGRAM TO STATE-OF-THE-ART IN TWO YEARS
Brian Miller is the first CISO at Healthfirst, a provider-sponsored health insurance company that serves poor and underserved people in New York City. The ability to work with an organization that is truly making a difference in people’s lives is what drew Miller to the role. “We provide top quality care to people that have traditionally not had access to the best services,” says Miller. “We have four- and five-star quality ratings for our Medicare and Medicaid products, respectively. Those are very hard scores to get, and we are very proud of that. It is really compelling to work in an organization with this mission. It is definitely worth investing my time and energy.”

In his first year, Miller diligently and optimistically tackled accomplishing 26 major projects with 43 unique goals. Luckily for Miller, everyone at the C-Level and on the organization’s Board of Directors was supportive. According to Miller the Healthfirst Board of Directors is highly engaged with the security program. He reports to the Board on risks as well as accomplishments. While he keeps the information high-level, there is usually opportunity to dig deeper. “The Chairman and the Board dive into specific questions about what we are doing and how we are responding to risks. That requires more granular metrics about performance, which we have as well.”

Buy-in and commitment from the highest levels of the organization allowed Miller to hit the ground running. “It was daunting, but also very exciting to be a part of such a big transformation,” says Miller. “To be able to take hold of and drive the transformation of security - to take it from troubled to state-of-the-art was very appealing to me. It was a very fast-paced first year. We were always bringing the best solutions possible to the table. Seeing the program come to life was very exciting.”
Starting nearly from scratch, Miller and his team first embraced the HITRUST security framework. “We focused on people, process and technology and ensured we had a policy that aligned with HITRUST. The policies and procedures we implemented gave us a strong foundation for future projects such as applying security to application development and other programs.”

Miller’s initial 26 projects spanned a wide array of security functions such as plugging holes in Healthfirst’s network and systems, including Endpoint Protection projects and Identity and Access Management. Incident Response and Governance Risk and Compliance were other big priorities for Miller in his first year and a half.

Much of Miller’s initial effort was focused on Vulnerability Management and Patching. “The SANs Top 20 Security Controls include basic patching, which is conceptually very simple, but organizationally we had to go on a journey from ad hoc patching to a very disciplined approach. Our people and processes needed to mature. It took us approximately 12 months before we were on a regular cadence. Now we scan, patch and scan again on a regular basis.”

A CONSULTING ORGANIZATION BUILT ON FLEXIBILITY AND AUTONOMY DRIVES SECURITY ACHIEVEMENTS
Miller is passionate about how far Healthfirst’s security program has come in two years. Much of the program’s success is due to his talented team and their approach. Miller’s successful experience in consulting enables him to run his security program like a consulting organization. He comments, “As consultants, we are guiding the organization through dramatic security changes.”
Miller continues, “A client once said to me, ‘If you do this project well, you will be here forever. If you do not, you will not see another dollar from us.’ I always think of that conversation because it is the essence of what everyone wants. They want you to bring value to the table every day. Our job as a security team is to figure out what different people need and provide them with value.”

In two years Miller has grown his team from six employees to twenty. He is focused on hiring and retaining the right team members. Miller says, “Hiring the right people in the right places was so important. I focus on diversity among my staff. I believe that diversity makes our team stronger. This broadens the perspective of our team in a positive way. Having a diverse team helps us to avoid ‘group think’ and creates an environment where people are pushed out of their comfort zones in good ways. If managed correctly, diverse teams communicate better.”

In the ultra-competitive security hiring market, Miller retains and motivates his team with flexibility, autonomy and training. “Even though we are based in New York City, my team works from anywhere. I hire the best people for the role, no matter their location. For example, my Head of Cyber Operations works from Boston, and our team member in charge of Patch Management is in Florida. Nearly everyone on the team works from home one or two days a week. I am very results-oriented. If the work is getting done, it makes no difference where or when the team works. It is about performance, not about being in the office.”

Miller prioritizes his employees’ career and personal motivations, to keep them energized and happy at Healthfirst. “I have one employee who is so talented, and making top dollar, but he could go elsewhere and make even more money. At Healthfirst he appreciates that he has opportunities to speak at conferences and train in cutting edge technologies. That’s what keeps him motivated.”

To enable autonomous workers, Miller gives them the authority to make their own decisions. “I tell my employees to consider the risks of every question or decision. Ask yourself, ‘Are you willing to accept the risks?’ If not, raise up the issue until you find someone willing to accept the risk and make the decision.”
Miller considers the growth of Healthfirst’s security program as the biggest achievement of his career. He proudly states, “Our CIO said that success would be measured based on those first 26 projects. We did not get to everything in the first six months, but we moved everything along. It was a challenge to execute on those programs while simultaneously hiring a full team, but with the right people on board, we were very successful.”