Job one for the Elevance Health security head is helping stop ‘sketchy guys’

When Elevance Health head of security Sekhar Nagasundaram went to visit his son’s classroom in 2011, he struggled to describe what he did to a group of young school children. His kid kindly bailed him out when he said, “Dad, you help catch sketchy guys.”

When it comes to protecting the systems inside large organizations like Elevance, Visa and the Federal Reserve Board, Nagasundaram has spent his entire career trying to protect them from the proverbial sketchy guys his kid alluded to.

Today, as part of Elevance Health, formerly known as Anthem, his job is bigger than ever. He came on board in 2021, long after the now infamous 2015 Anthem breach. That breach resulted in tens of millions of people, including both customers and employees, losing personal information, per the New York Times. 

Nagasundaram was at Visa in 2015 and used the Anthem attack as an object lesson for his company at the time, a technique a lot of security leaders use. In fact, Adam Fletcher, who is CISO at Blackstone, recently told FastForward, he often refers to news events as a way to start conversations with the board and other executives.

“More often than not, I like to take every opportunity to look at what has happened in the public eye, things that appear in the Financial Times, The New York Times, Wall Street Journal, whatever, and then reflect on that and ask how that would impact us,” Fletcher said. It’s a great approach for any security leader: don’t let this happen to us.

Having worked in both healthcare and financial services, Nagasundaram sees a lot of similarities between the two industries when it comes to managing risk because whether you’re dealing with people’s health information or financial information, it’s something they value and hold dear and don’t want being spread in the public sphere.

“At the end of the day, economic well being and health kind of go hand in hand,” he said. In practical terms that means you really need both to feel secure, and when either is at risk it could put a person’s sense of well being at risk too.

Elevance is an enormous company with more than 100,000 employees, a revenue run rate of over $180 billion as of its latest earnings report in October and a market cap of over $86 billion. While Nagasundaram wasn't around for the 2015 attack, in many ways he still has to deal with the ghosts of that incident as he sets security strategy inside the company.

Keeping the organization on track

It’s a huge challenge to protect a company that large, especially one that is adding to the portfolio of companies under its management on a regular basis through acquisitions. Most recently the company snagged IU Health Insurance in September and acquired Carebridge in October. Nagasundaram says it requires discipline and a clear plan to keep the company secure, especially as it continually adds components. He has a three-pronged approach to protecting the company.

The first piece is around visibility. “For me, if I can't see it, I can't protect it. I can't manage it. So to the extent we can, we gain knowledge and situational awareness of each and every asset,” he said. 

That’s made even more challenging by the acquisition strategy, which adds new components with different technology stacks on a regular cadence.  To help incorporate these new companies, and continually track what he already has he uses a number of approaches including the use of sensors, partners and continual threat assessments to get a better understanding of “open doors.” He also takes a zero trust approach and combines that with predictive analytics using AI and machine learning to get that visibility he seeks.

The second piece is around making the security systems scalable via cloud by using a SaaS model for delivery. “That is about changing the operating model to act as a service versus one that’s on prem,” he said. That leaves a level of flexibility to add necessary resources as the company grows, new threats develop and the organization acquires new pieces.

Finally, he is always trying to find ways to battle new attack vectors. “We are working with the business units and fostering deeper alliances with them to tackle multi-dimensional threats,” he said. That includes physical threats in the wake of the Brian Thomson assassination, as well as cyber resiliency, using AI as a defense against adversarial AI and combatting digital fraud.

They are using education to help employees and executives understand threats better because attackers are increasingly getting into systems with legitimate credentials. That’s a real problem for every company, so they are looking to help executives understand the nature of attacks, deep fakes and phishing attacks, while also trying to help employees be more savvy about these threats.

The company recognizes that attackers will be using AI, but it is also looking at AI as a way to scale and get things done faster. That means using Generative AI to understand the nature of threats and attacks and get to the root of a problem faster. Instead of a long laborious search, they can simply interact with the system by asking questions and get answers much more quickly.

The goal is to move from a static or even adaptive SOC (security operations center) to a cognitive one, but he says that’s a work in progress.

The job may ultimately be about stopping “sketchy guys” as his son so aptly put it all those years ago, but it’s a job that comes with an extraordinary amount of responsibility and personal risk if things go wrong. It’s fair to ask why he does it. 

Simply put, it’s because he loves the thrill of the chase. “I love it. I love it. It's doing something bigger, but at the same time, it's a passion.”

Photo courtesy of Elevance Health