Have a Smooth Ride
As the first anniversary of September 11, 2001, arrives, resorting to platitudes such as "you can't be too careful" may seem to trivialize the tragic events of that day. But the phrase is wrong in other respects as well. In some sense, you can be too careful, or too careful in the wrong ways. Senior insurance technology executives must be alert to a range of operational risks, from those addressed through the efforts of disaster recovery, to those covered by network and physical security measures, all the way to the ones inherent in the choices made in every kind of technology investment. All risks, in the end, are business risks, and they need to be approached with discipline.
"One of the things September 11th showed us is that we need to be very clear on whether we are over-investing or under-investing, whether we are able to identify and quantify the potential exposure that's out there," according to Jon Erickson, senior industry analyst at Cambridge, MA-based Giga Information Group. "If we're spending too much in areas we shouldn't be spending our security dollar on, that's throwing money away just as much as under-investing is—and the rule applies to all spending, whether for security, an internal application or for an e-commerce site."
The disaster recovery/business continuity plans of insurance companies exposed to the events of 9/11 actually tended to work very well, largely confirming the strategies employed. Nevertheless, problems emerged from areas not dreamed of in those plans. For example, communications problems arose from a failed AT&T switch and by the sheer volume of mobile phone traffic provoked by the crisis; system functionality was rapidly relocated to backup sites, but the people to run them often weren't. The lesson was that we may be good at preparing for what we anticipate, but we need to anticipate better "what the next big thing will be, and what the gaps are," says Mike LaPorta, global leader, insurance, Deloitte Consulting (Stamford, CT). "A prudent person would look at the failures of resiliency plans and shore them up."
Still, anticipating is to a certain degree the easy part. "Even if you could anticipate every possible outcome, you can't afford to protect yourself from them—it would sop up every dollar that a company has to do other important things more related to growing the business and reducing costs," LaPorta says. "It's imperative that companies identify the appropriate risks, value them, then assign funds to mitigate against them in a very rational way."
Warren, NJ-based Chubb insurance group's ($30.4 billion in assets) attempt to do just that resulted in the formation of Chubb Security Caucus, an assemblage of the firm's top business and technology leaders that meets at least once a month, according to Jerry Giesler, senior vice president, IT. The body has "been a tremendous accelerator for us to get commitments to programs that people weren't as aware of prior to September 11," he says.
The 9/11 events also triggered the appointment of a full-time director of information security at Chubb—which Giesler believes "would otherwise have been delayed due to budgetary constraints"—and created a two-tiered corporate incident management team composed of a senior-level "executive team" and a "representative team" composed of delegates from key corporate areas.
Chubb's governance measures have fostered methodical evaluation and prioritization of risk mitigation efforts, according to Giesler. "We've already been through that in the narrow view of our computer systems, but we have not yet completed what we're calling a business-risk assessment for all other aspects of our operation," he says. The process allows for the dialogue between IT executives "and some consultants we've engaged, to ask the business leaders questions that encourage them to think of things they either wouldn't or wouldn't want to think of."
One of the things that nobody thought of at Royal & SunAlliance (R&SA, Charlotte, NC, $9.2 billion in assets) before September 11 was "that e-mail is one of our critical applications," says Chris Heeley, CTO. "Before, when we did our disaster recovery plans, the first thing you wanted to recover were your line-of-business applications so you could take claims, process premiums, etc., and e-mail would have fallen way down the list, along with restoring telephones for internal communications. But what we found out was there wasn't a whole lot of business to conduct because communications were interrupted."
Another unanticipated development was transportation interruption. "When we needed to get things like servers and hard drives up to our New York offices, we didn't have a way to do it," Heeley recalls. "Planes weren't flying, rental cars were all taken because people couldn't fly, UPS and FedEx weren't flying and our corporate jets were grounded—the only way to get things there were courier services and employees in automobiles," he adds.
As a result of the 9/11 experience, R&SA has expanded scenario planning and has instituted an incident management team chaired by a corporate risk manager and staffed with a security practice leader, responsible for the risk associated with information technology. The team is guided by "solid processes and procedures in the event of any incident, from a major disaster to an employee event," Heeley says.
Certain risks may be taken with a kind of passive preparedness, but others must be addressed more proactively, Heeley argues. "We have a large population of employees in New York, so it begs the question whether we should be thinking in advance about what we would do in particular," rather than enforcing a general kind of preparedness. The idea is to identify potential target sites according to characteristics, e.g., government sites, nuclear plants or monuments, and then map them according to internal factors such as employee density, offices and equipment. "That model gives you some value that tells you it might make sense in those cases to be proactive in developing your response," Heeley adds.
IT Asset Management
That proactive approach is crucial in mitigating other risks that may be less consequential in some senses, but just as urgent and perhaps more immediately relevant to the senior technology executive's job. The value of technology assets to do work for a company is closely correlated to their capacity to be used to work against it. Accordingly, within R&SA's overarching concept of risk management—which locates risks in the areas of people, real property, contents (of buildings) and systems—lies what Heeley calls "proactive protection for IT assets," including monitoring firewalls, intrusion detection, etc.
To monitor its information assets R&SA has installed a Peregrine Systems (San Diego) solution including the vendor's AssetCenter, which manages an asset from the time it enters to when it exits an organization through return, sale or disposal, and InfraTools, which performs network and desktop discovery. The solution "has the power to look down the wire to see what assets are on the desktop, whether hardware assets—PC, laptop, monitor, etc.—or the information assets on them, such as Microsoft (Redmond, WA) Office or Visio, Access databases or Armonk, NY-based IBM's Lotus Notes," Heeley claims. "All of those assets are populated in the asset management system and tracked, which is helpful as we're in the middle of an operating system upgrade and it's nice to know which applications are certified for the new operating system."
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio
Tweet This