Over her 25-year career in information technology (IT) risk and cybersecurity, Pam Nigro has learned that security works best when it’s baked into development, rather than added on later in the process.
Nigro started in information technology as a Manager at PricewaterhouseCoopers (PwC), consulting with clients to develop and build internal cybersecurity controls. This role led her to discover her passion for seeing cybersecurity programs implemented from beginning to end and framed her understanding of cyber risk.
At PwC, Nigro engaged in a project designing Health Insurance Portability and Accountability Act (HIPAA) privacy controls for Health Care Service Corporation (HCSC). “On the PwC side of HCSC, I got to build out all these controls and processes, and the opportunity came when HCSC said, ‘Well, if you really believe this, and you think this is the right way to go, come on board and operationalize it.’”
That jumpstarted Nigro’s 14-year career working at HCSC, where, as Senior Director of Information Security, she developed data privacy and cybersecurity controls into the cutting-edge, mature processes they are today. One of the cornerstones of her time at HCSC was developing a DevSecOps framework that automated security using data analytics. “I started to fundamentally shift my thinking about how to apply security in the organization, and my phrase was, ‘Bake it in, don’t bolt it on.’” In past security models, HCSC relied on having security approve tools and procedures after they had already been developed, relegating security to a function that was seen as a bottleneck, rather than a business enabler. By integrating security into the development process, Nigro was able to bake cyber controls in at the early stages of code creation.
Nigro developed a DevSecOps model for the organization that baked dependencies into the IT space at HCSC. She worked with the DevOps team to develop scripts that tracked network anomalies and incorporated security at the code level — and accomplished this in the era before commercial DevSecOps tools existed and matured. “The scripts did the automated checking for security so that the developers could focus on developing,” she says. With that information, she led the creation of a security data lake and leveraged it for a security analytics program. “We started pulling all of the scripts’ log files into the security data lake, so we’re ingesting all of this information, which told us which security goals we were meeting and where we ran into issues.” This analytics program helped HCSC prove the security compliance in the highly regulated organization.
After over a decade of maturing the security program at HCSC, Nigro had the opportunity to join the Home Access Health Corporation (HAHC), which was acquired by Everly Health, as Vice President, Information Technology and Security Officer after the organization suffered a ransomware incident. In 18 months, Nigro transformed the organization’s on-premises infrastructure to a mature, cloud-based cybersecurity function that achieved HITRUST certification in under two years, including a digital transformation. “The cool thing that I got to do was not only have fun with technology, but reengineer their entire technology stack, get it into the cloud and apply security controls at the same time. Within 18 months, I took them from a ransomware event to HITRUST compliance,” she says.
After her time at HAHC, Nigro moved into her current role as VP, Security at Medecision, a digital care management company. There, Nigro secures protected health information (PHI) and leads the organization through a period of digital enhancement, leveraging analytics & security automation across the digital platform. Nigro applies her “Bake it in, don’t bolt it on” methodology to security at Medecision by taking a risk-based, automated approach to cybersecurity. “I automate security as much as possible within the risk framework of the organization. You have to put in the guardrails and say, ‘If you go outside of these guardrails, only then will security will get engaged.” She says that approach has helped her become a trusted advisor and transformed the cybersecurity team into a business enabler, rather than a “No” function. “That’s really been the biggest transformation in terms of culture that I’ve been working on here at Medecision — being that partner, while still managing our risks and staying within the compliance posture that’s needed from a regulatory perspective.”
In a sector as interconnected and regulated as healthcare, she says that information sharing plays a pivotal role in maintaining strong security controls within and across organizations. “No one person is an island, and no one person is going to think of everything, everywhere. You have to develop a level of collaboration where, if you get stuck, you could reach out to peers and bounce ideas around and talk through different challenges,” she says.
As Chair of the ISACA Board of Directors, Nigro now plays a large role in the information sharing practices of cybersecurity professionals around the globe. The importance of networking and sharing intelligence and best practices with other cybersecurity leaders has helped her throughout her career. “When your head is down and you’re fighting a fire, it’s important to reach out for help and share your story,” she says.
She notes that it’s also critical to share successes, so industry professionals can apply successful frameworks in their own organizations. After she developed the DevSecOps & security analytics program at HCSC, Nigro built a model to share with other industry leaders that she took to various industry conferences. “After the conferences, people reached out and had me meet with their teams and talk through it so that they could build on their ideas and determine how they could apply the model in their environment,” she says. Seeing her work positively impact the cybersecurity defenses of other organizations was a highlight of her career, says Nigro.
Nigro’s information sharing and networking efforts also extend to leadership and management advice. She started a women’s forum in Chicago for cybersecurity, risk and governance professionals to share ideas and discuss challenges at work. The forum’s first meeting was “one of those ‘You’re not alone’ moments,” says Nigro. “It’s changing, but it’s still the case for many individuals that when they sit down at the table, they’re the only woman. When I started mentoring and talking with women and leading the women’s forum, I felt that bond that there are other women out here doing what we’re doing. It was really impactful to be there.”
Nigro says the varied opportunities she’s earned throughout her cybersecurity career have helped develop her into a stronger cybersecurity professional and business partner. “If you look at my career, it’s not linear. I didn’t go from point A to where I am now. There were detours, and those all presented me with other opportunities,” she says. The adaptability she has grown throughout her career is reflected in her cybersecurity leadership style. “In a way, it goes back to my ‘bake it in’ model — make cyber your partner. Being adaptable helps make you a trusted adviser so that you’re there at the table with business leaders, helping them make secure decisions.”