Wide View is Key to Data Security
Insurance Networking News, September 1, 2008
While information security is very organizationally specific, many of the challenges faced by those tasked with safeguarding data are universal. For insurers of all sizes and lines of business, the focus is really about using a blend of technology and methodology in order to keep sensitive customer or corporate information safe.
This probably isn't news to information security officers, who need to defend against challenges ranging from insider risk, to organized crime to teenage hackers. As if the ever-widening menagerie of malware, viruses and worms is not enough to contend with, security officers also are being challenged to cover more ground, due to the proliferation of mobile and Web-based technology. Indeed, given the risks, the consequences of formulating business strategy without first considering the information security implications are grave.
Advertisement
The widespread adoption of technology enables, for good or ill, behaviors that were impossible or difficult in the past. Not only does technology multiply the avenues for misbehavior-from the USB port to Internet-it also increases the scale of the threat. Kip Boyle, chief information security officer for Seattle-based PEMCO Mutual Insurance Co., likens the challenge faced by insurers to that of record companies when digitization enabled the easy sharing of their critical data, music.
"Years ago, sharing music was not scalable," he says. "Now it's scalable, and it's an issue. You see the same kind of thing with information security. Before, you couldn't easily take 50,000 customer records out of the building on paper. Now, with technology, we can scale misbehavior to proportions where it becomes a great problem."
PEOPLE PROBLEM
Yet, information security is not only a technological problem. Carriers need to protect information regardless of the form it takes. In fact, Boyle says the greatest challenge is getting everyone processing sensitive information to see that they have a place in the big picture, and to impart to them a thorough understanding of what it means when information security goes wrong. "When you boil it all down, information security is really a people problem."
Complicating this is the heterogeneous nature of the modern enterprise. Employees, partners and contractors all require different levels of access to sensitive data. "You need to have a focus on information and accept that you are going to be interested in information protection without regard to who is handling that information," Boyle says.
Kip Boyle
A 2007 study from New York-based Deloitte Touche Tohmatsu buttresses Boyle's contention. The study, based on a survey of senior information technology executives, found 79% of respondents citing the human factor as the root cause for information security failures. In addition to breaches perpetrated by customers, third parties and business partners, the survey found that a high number of repeated occurrences were attributable to employees-both intentionally through misconduct, and unintentionally, through errors and omissions.
So how do security officers get employees across the enterprise to take information security seriously? One way is to build strong relationships with business leaders, says Thomas Doughty, chief information security officer for Newark, N.J.-based Prudential Financial Inc.
"If a control is important to a business risk owner-a head of the business-it will become important to all those supporting it internally," Doughty says. "If it's just a standards-based checklist issued by the information security office, it's less relevant and may even breed circumvention over time."
PARTNERS AND EVANGELISTS
To help counter this and create a culture where security is firmly in the mind of business people, Prudential employs a federated model, pushing the responsibility for security outward in terms of all the points of execution, technical and operational. "We make sure the right things are appropriate to the right people who own the risks," Doughty says. "Trying to drive that last layer of execution centrally would not be particularly effective or efficient."
Thus, when discussing a new security tool with senior business leaders, Doughty tries to make sure they understand the operational and business risks. "Business leaders can become evangelists for security programs for their own reasons," he says.
Thomas Doughty
For more information on related topics, visit the following channels:
