Jim Loveless Helps Protect Children on All Fronts

As an analytical and detail-oriented leader focused on remediating security vulnerabilities related to infrastructure, applications, and data, Jim Loveless is helping protect the company he loves. Loveless serves as the chief information security officer for Nemours Children’s Health System, headquartered in Jacksonville, Florida.

“In the information security field, there is never a dull moment, and I am always looking for a challenge,” he shares. “Our team has to investigate potential security incidents daily, and oftentimes we receive a critical security alert weekly where we have to drop everything to ensure the alert wasn’t identifying something serious.”

Loveless joined Nemours in Orlando in 1997 and was then transferred to Jacksonville in 1999 to become the technical support manager. Over the years, he has taken on various roles, including desktop manager, IS site manager, and director of systems administration. In early 2019, he rose to his current position as CISO.

During his twenty-three years at the company, Loveless was constantly learning and connecting with senior-level leadership as the promotions kept coming.

Security is not what Loveless had in mind when he graduated from the University of Central Florida with a marketing degree, but after working sales and marketing jobs for a while, he realized he didn’t want to do that long-term.

“I went back to a tech school to become a CNE (Certified Novell Engineer). I had to start my career over and became a PC tech for Nemours,” he explains. “Since Nemours Orlando was relatively small at the time, I was fortunate to able to do some networking and server administration too. Later on, I got my MBA because I didn’t want not having a master’s degree to be a career limiter.”

A few years ago, Loveless was looking to make a change and wanted to learn more about security. He got his CISSP certification—an industry standard for those working in information security—and joined the local information security chapters of (ISC)² and InfraGard.

“I also initiated conversations with our then existing CISO, trying to learn more about the role,” Loveless recalls. “Since I thought our CISO would finish his career at Nemours, I was surprised when he resigned. I missed his mentorship, but I was excited about the potential opportunity to help out the information security team during this time of transition. I contacted our vice president asking if there was some way I could help while they searched for a new CISO. To my surprise, she asked me to become the interim CISO.”

Determined, Loveless focused his efforts on becoming the permanent CISO. He researched Gartner articles and availed himself of the Gartner EITL program, which provided consultation services from a former CISO to help him during this transition.

“This is a relatively new field that even five years ago wasn’t where it is today,” Loveless says. “It’s an ever-evolving field that’s not stagnant and, as a result, is always interesting.”

As leader, Loveless and his team help detect and respond to security risks by analyzing network traffic patterns, remediating items found in risk assessments, and conducting penetration testing.

For instance, Nemours recently purchased Darktrace, a network traffic analyzer that can prevent lateral movement and ransomware propagation while simultaneously allowing normal business processes to continue functioning.

Loveless explains that Darktrace detects anomalies and prevents suspicious activity while ensuring the enterprise network remains healthy.

“Darktrace uses AI and machine learning based on patterns of behavior to identify risks,” he says. “This acquisition was timely because close to six thousand users are now accessing Nemours’ critical resources from remote locations.”

In its first few months, Darktrace has identified several security concerns, including network scanning, unapproved VPN software, unencrypted password documents on the network, and more.

Another new tool his team recently implemented is Proofpoint email and browser isolation, which keeps Nemours associates safe from phishing websites by blocking suspicious links in emails.

“Proofpoint also has browser isolation, which allows you to browse the internet in a shell or sandbox. For example, if someone sent you something suspicious but you still wanted to read it, you could open it in this Proofpoint browser shell. By doing this, you are protecting yourself, because the shell is running separately from my local computer,” he explains. “We’re expecting these two advances to benefit Nemours exponentially.”

Other important tools Nemours uses include a third-party security operations center (SOC),  which monitors inbound and outbound traffic to Nemours and alerts the company about any anomalies, and Cisco Firepower, an intrusion prevention system for the network.

“We also use an IT vendor risk management tool to help us evaluate third-party information security risks and their overall security posture, as well as evaluating our security,” Loveless says. “We conduct annual external risk assessments, including a penetration test. From these findings, we create a security roadmap of items to remediate and share those with the board.”

Not only have all three of Loveless’s children been born during his twenty-three years with the company, but his wife, daughter, and son have all worked at Nemours. His wife worked in reimbursements, his daughter as a marketing intern, and his son as a PC tech intern, upgrading PCs to Windows 10. His children have been seen by Nemours physicians on numerous occasions over the years for check-ups and even surgeries. Nemours is a family affair for the Lovelesses.

“I’ve sat at our clinician’s desks working through computer issues, talked with them at length, and worked with them closely on projects, so I know we have some of the most amazing staff in the healthcare,” he says. “The culture at Nemours is putting the patient first, and that’s evident in everything we do. I trust the people, and I’m proud to be a part of the team.”