Dr. Adrian M. Mayers – Premera Blue Cross

Every company in the U.S. that holds large amounts of sensitive data should not only ensure that their security programs are as robust as possible—they have a primary duty to do so.

This, says Dr. Adrian M. Mayers, is not only to protect clients, partners and internal users, but to contribute to national security.

As the chief information security officer at Premera Blue Cross puts it, when you can interweave data security, identity access management, and threat intelligence—all while reducing what he deems the “friction of technology”—you have a much stronger national security posture.

“We’re contributing to a larger narrative,” says Mayers. “It’s a call to action.”

Bolstering security in an insecure world

This call to action brought him to Premera in November 2019. Based in Mountlake Terrace, Washington, the health insurance company—an independent licensee of the Blue Cross Blue Shield Association—serves roughly 2.4 million members nationally.

Holder of a doctorate, with a background in consumer electronics, Mayers immediately started to increase security across the organization.

Notably, this has involved using behavior analytics—establishing baselines, as well as alerts that pop up whenever there are anomalies or spikes in network behavior.

Premera’s curated threat intelligence and response team, which he describes as “operators at the tip of the spear, highly experienced and skilled engineers,” then build investigations based off of these telemetries.

They also use the collaborative MITRE ATT&CK framework, which provides a matrix of tactics and techniques used by so-called threat hunters and defenders to help organizations better classify attacks and assess their risk. Mayers’ team can map Premera’s capabilities—and any gaps—by looking at threats against MITRE by other “threats in the wild” reported by other organizations.

For example, sometimes a threat actor might try to “move laterally”—as opposed to attacking the organization head-on—but these actions can build “on-ramps” that help the team delve into analysis of vulnerable areas and attempted breach points, he explains.

Geo attacks are identified, cataloged and loaded back into network countermeasure software. And, in turn, Premera shares the gathered intel and indicators of compromise or IOCs—basically, any artifact on a network thought to be suspicious—with partners and other members of the broad-sweeping Blue Cross Blue Shield network.

“You want to make sure that the right people are connecting to the right things at the right time and place,” Mayers says. “You must bring in the right level of security to protect assets, to enable end users to get their work done in appropriate ways, and to infuse technology at the right level in the appropriate places.”

Guiding tenets

Mayers takes a philosophical as well as a tactical approach to these initiatives.

He’s inspired by the likes of Christian Brose, former staff director for the Senate Armed Services Committee and author of “The Kill Chain: Defending America in the Future of High-Tech Warfare.”

Six tenets that Mayers has identified, along with his comments, are based on Premera’s overarching values:

Identifying with the customer; acting with urgency—“Things are changing on a daily basis, if not hour by hour.”; being excellent—“In what we do there are sometimes no second chances, we have to be right the first time.”; challenging convention by being “creative and innovative at the speed of change.”; doing the right thing for members, the company, and to comply with regulatory and governing entities.

“The work that we do absolutely demands the highest level of integrity and honesty,” Mayers says.

The final, and perhaps most important, tenet: working together—both internally and externally. As for the latter, Premera works closely with Silicon Valley-based cybersecurity firm FireEye, for one, having embedded its advanced cyberthreat intelligence, cybersecurity products, incident response and forensic services capabilities into daily cybersecurity operations.

“FireEye’s expertise, particularly in the threat intelligence space, allows our cybersecurity teams to maintain a clear line of sight on the threat horizon,” Mayers explains.

Another asset: Asureti. Complex cybersecurity programs such as Premera’s require periodic, focused reviews in specific areas, he says, and Asureti, a computer security service, provides “surgical precision” when it comes to strategic cybersecurity planning, controls assessments and risk management.

Meanwhile, within the organization, Mayers and his team constantly work to make technology as intuitive and easy to use as possible.

“Technology and business teams must work seamlessly,” he says. “Technology cannot be a friction point; it must be an enabler.”

Always the human component

With an MBA from Athabasca University in Alberta and a doctorate in business administration from California’s Northcentral University, Mayers has long had a passion for, and a dedication to, security.

He came to Premera after holding directorial security posts at Nokia—where he spent 11 years, the last as regional director of security for the Americas—Microsoft and insurance software company Vertafore.

Beyond his security focus, he leads ongoing migrations to the Microsoft Azure cloud while looking at ways to integrate machine learning and AI capabilities. “IoT is a wave of change that we want to remain in front of,” he adds.

And now, as he is also a member of Premera, he is personally invested in continuing to evolve its security program for himself, his family and all its members and employees.

“I was attracted to the core mission to make health care work better,” Mayers says. “It’s the human component to the work. It’s not just about the digital side, the 1s and 0s. It’s looking at the 1s and 0s to fulfill the human mission, focus and objective.”