While information security is very organizationally specific, many of the challenges faced by those tasked with safeguarding data are universal. For insurers of all sizes and lines of business, the focus is really about using a blend of technology and methodology in order to keep sensitive customer or corporate information safe.
This probably isn't news to information security officers, who need to defend against challenges ranging from insider risk, to organized crime to teenage hackers. As if the ever-widening menagerie of malware, viruses and worms is not enough to contend with, security officers also are being challenged to cover more ground, due to the proliferation of mobile and Web-based technology. Indeed, given the risks, the consequences of formulating business strategy without first considering the information security implications are grave.
The widespread adoption of technology enables, for good or ill, behaviors that were impossible or difficult in the past. Not only does technology multiply the avenues for misbehavior-from the USB port to Internet-it also increases the scale of the threat. Kip Boyle, chief information security officer for Seattle-based PEMCO Mutual Insurance Co., likens the challenge faced by insurers to that of record companies when digitization enabled the easy sharing of their critical data, music.
"Years ago, sharing music was not scalable," he says. "Now it's scalable, and it's an issue. You see the same kind of thing with information security. Before, you couldn't easily take 50,000 customer records out of the building on paper. Now, with technology, we can scale misbehavior to proportions where it becomes a great problem."
PEOPLE PROBLEM
Yet, information security is not only a technological problem. Carriers need to protect information regardless of the form it takes. In fact, Boyle says the greatest challenge is getting everyone processing sensitive information to see that they have a place in the big picture, and to impart to them a thorough understanding of what it means when information security goes wrong. "When you boil it all down, information security is really a people problem."
Complicating this is the heterogeneous nature of the modern enterprise. Employees, partners and contractors all require different levels of access to sensitive data. "You need to have a focus on information and accept that you are going to be interested in information protection without regard to who is handling that information," Boyle says.
A 2007 study from New York-based Deloitte Touche Tohmatsu buttresses Boyle's contention. The study, based on a survey of senior information technology executives, found 79% of respondents citing the human factor as the root cause for information security failures. In addition to breaches perpetrated by customers, third parties and business partners, the survey found that a high number of repeated occurrences were attributable to employees-both intentionally through misconduct, and unintentionally, through errors and omissions.
So how do security officers get employees across the enterprise to take information security seriously? One way is to build strong relationships with business leaders, says Thomas Doughty, chief information security officer for Newark, N.J.-based Prudential Financial Inc.
"If a control is important to a business risk owner-a head of the business-it will become important to all those supporting it internally," Doughty says. "If it's just a standards-based checklist issued by the information security office, it's less relevant and may even breed circumvention over time."
PARTNERS AND EVANGELISTS
To help counter this and create a culture where security is firmly in the mind of business people, Prudential employs a federated model, pushing the responsibility for security outward in terms of all the points of execution, technical and operational. "We make sure the right things are appropriate to the right people who own the risks," Doughty says. "Trying to drive that last layer of execution centrally would not be particularly effective or efficient."
Thus, when discussing a new security tool with senior business leaders, Doughty tries to make sure they understand the operational and business risks. "Business leaders can become evangelists for security programs for their own reasons," he says.
Doughty says you not only have to align yourself with the business, you have to be a partner with the business in determining direction. "What we're here to do is to give them the best options and a full set of information to make informed risk decisions," he says. "We're not here to cram a security program into a business model and then to try to figure out how it's going to work. We like to work in the other direction when we can."
While it is important for business to understand security, the opposite also is true. "You have to have some context on how they operate," Boyle says, comparing the challenges of current chief information security officers in relating to the business leaders to the challenges of CIOs of yesteryear. "Twenty years ago the CIO was fighting for legitimacy and to be seen as a business leader unto himself."
Once they have established their understanding of the business, information security personnel can help keep business leaders aware of the down-stream effects of their decisions. For example, while a decision to accept credit card payments over the Web may make perfect sense for the business, it does have large implications for security.
"If you are part of the business conversation when a change is being considered, you can affect things," Boyle says. "It can make a tremendous difference in your operational situations by having these relationships and being able to have those conversations upfront."
Information security officers also may have to adjust their teams to get the right skills in place to address security problems.
Boyle created a new position on his team-information security business solutions manager-and hired an experienced employee with deep contacts on the business side. "His job is to take his existing relationships and build new ones for the benefit of the information security vision that we're pursuing," he says.
THE TOOLS REQUIRED
Even with the proper relationships and team in place, information security requires tools.
With insurance data highly distributed among networks and locales, carriers need to pair infrastructure-level protections with adaptive application-layer firewalls. Until recently, the only option was to cobble together point solutions from different vendors. Fortunately, for newer, sophisticated toolsets are giving them the technical ability to meet threat models in a centralized manner that wasn't possible even a few years ago. Among these new tools are data loss prevention (DLP) products, which sit at the gateway of the network and quarantine or encrypt data as it passes through. DLP products can monitor what is sent out via e-mail, instant message and FTP. They also can break open e-mail and use rules to determine the content and whether it can be sent out as clear text or whether it has to be encrypted.
Kurt Shedenhelm, president and CEO of Ames, Iowa-based Palisade Systems Inc., says that while DLP emerged in 2003 and 2004, it developed slower than many people expected, and any insurance company looking to deploy DPL products had rather limited options until the last 12 months.
"To a large degree it was due to the vendors, who were looking to evolve their technology," Shedenhelm acknowledges. "When DLP started, it was either gateway or end-point solution-nobody had it all together. It took two or three years to get to a comprehensive solution."
Shedenhelm stresses that security software must work both to thwart people sending data out and hackers wishing to break in. Now carriers can couple DLP products with access rights software that reside in the database and also PC level agents, which feed consolidated reports back to a central DLP system.
The train is continuing to move down the tracks in terms of vulnerabilities and threats, in some areas faster than others. "As we continue to move into Web 2.0 and other rich, interactive environments for our customers and employees, the risk model is changing, and the tools are giving us better options to continue to evolve the mix of controls ahead of those threats," Doughty explains.
MORE TOOLS
What's more, Doughty says better scanning methodologies enable carriers to look at the binaries of their Web-facing applications to find vulnerabilities that older, signature-based tools can't.
"There are tools emerging on the market that can help organizations provide non-stop monitoring abilities to spot anomalies," says Brian Cummings, practice manager/head of information risk management for Mumbai, India-based Tata Consultancy Services.
As the toolsets have gotten better, the security architecture has moved in a new direction, away from the network layer and perimeter security prevalent a few years ago and toward application level security. "It doesn't mean you don't have to do everything you did at legacy network level and perimeter security level," Doughty says. "You still do, but they have become more commoditized in terms of the threat model and the controls in place."
The upshot of having these new tools is that Doughty is able to kill more birds with fewer stones. "Being able to meet more threats with fewer tools has been a big win in the last few years" he says. "The efficiency of these tools also means fewer resources accomplish the same goals as compared to a few years ago."
THE BALANCE
Despite these advances in security tools, Cummings cautions that insurers need to see the forest for the trees. "It has to be holistic," he says. "You can't just plug solutions in place. You have to know who your user base is and what their needs are, and map those needs to your resources."
Yet, even knowing your resources is no mean feat. A gap often exists in the client's understanding of their total resources and assets they are trying to protect, Cummings says. To remedy this, he recommends a thorough asset classification program. "You can't protect everything equally," he says, noting that often only 10% to 20% of a company's assets warrant closer control. Cummings also suggests carriers investigate role-based access management software and an e-signature solution underwriters can use to sign a policy after they have approved it.
He also sees a place for solutions that employ business intelligence and forensics to ferret out suspicious patterns, noting that most hackers are in the system long before they are detected. These solutions could possibly help a carrier avert a "zero-day" threat, one which nobody has seen before that gets through all the firewalls and malware detectors. "One way to deal with a zero-day threat is to have software that builds intelligent patterns of access and monitors the environment so that when something new and unusual does show up, it shines like a klieg light," Cummings says.
Even technologies celebrated for their security features, such as virtualization software, are vulnerable to attack. "It is very esoteric and would have to be a very sophisticated attack, but it is something you have to be concerned about," Cummings says.
Information security officers also need to keep an eye on their own application developers. Speed-to-market pressures may threaten security, notes Sameer Bhargava, VP of software development for Indianapolis-based Kaplan Compliance Solutions. Bhargava recommends a strict segregation of duties, adding that developers should not have access to production data. "Many times companies lose focus on the risk and give too much focus to the controls," he says.
Carriers also have to work hard to strike the correct balance between both external and internal security. While wrapping a hard, crunchy exterior around a soft, chewy interior may be a proper aspiration for a candy maker; it's not one for a chief information security officer, Cummings says.
STRATEGY AND TACTICS
Another balance the information security officer must find is between the strategic and the tactical. A failure to address security on an enterprisewide basis can consign security people to what Boyle calls ‘tactical firefighting mode.' "There's always going to be a certain amount of tactical, operational work that has to be done," he says. "But, the more you can be strategic, the greater effect you can have on minimizing the number of fires you have to fight operationally."
One potential pitfall is to conflate compliance and security. "It's a dangerous game and a narrow strategy only to drive your security program and control and tooling choices around regulatory checklists," Doughty says. "There are many things we do in our security program-required based on our risk model-to address risks that are relevant to our business practices that may not be discretely tied to a regulatory driver."
While all agree that security is not something you can do part time, will security tools become so advanced that information security officers can a step back? Doughty doubts it, saying complacency is a security program's really the biggest enemy. One way to fight complacency is with proactive measures such as ethical hacking programs and employing "honeypot" solutions that are used to lure hackers to a deceptive server.
"It's a matter of constantly evolving to stay ahead of emerging threats as we look at them months, and even years down the road," he says. "It's also a matter of reallocating your portfolio of protections to meet the threat model, because none of us have unlimited resources."
Like a baseball umpire after a blown call, those charged with the sysiphean task of safeguarding an insurer's lifeblood-its data-are most visible when something goes awry. "One of the challenges is that when you do a good job, it can become invisible to upper management," Cummings says. "You must provide management with metrics and reports on a sufficiently frequent basis to help them understand that the threat is real and alive."
(c) 2008 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.
