11:35 AM
In The Thick of IT: Chief Information Security Officers Address Broad Risk Management Concerns
The tried-and-true information security metaphor is that of a wall of protection around a sensitive core. The metaphor lives on in the name of the most external of measures -- the perimeter defenses of network security. But the nature of information security has changed, in terms of both quantity and quality.
The perimeter itself has expanded in myriad ways with the increasing adoption of mobile and collaboration technologies, the locus of vulnerabilities has ramified within internal processes and technology, and intensifying regulatory scrutiny with regard to privacy and security has made inappropriate data and information transmission evermore hazardous to a company's fortunes. Consequently, the job of chief information security officers (CISOs) is less like an armored defender behind thick castle walls and more like a resourceful ranger on patrol in a tangled forest whose many trunks and branches constitute the territory's strength -- but also its vulnerability to concealed threats.
The information security threats -- both internal and external -- that insurers face today are growing in size and complexity, and at a pace much greater than ever before. Business took a major step at the dawn of e-commerce, knowing that reaching out to customers, distributors and business partners over the Internet meant exposing internal systems to external mischief. But that exposure has not remained static. External threats have grown more sophisticated, as hacking as mischief and vandalism has given way to hacking as a criminal enterprise.
But evolving security threats have been driven equally by internal changes. As Web-based technologies have begun to dominate core systems, as more transactional capabilities have been extended outward, as technology-mediated relationships have proliferated in number and spread over geographies, and as data is stored in more and more remote locations and transmitted to increasing numbers of mobile terminals, the CISO job has metamorphosed into something bigger and more vital than before.
"As you expand the intended reach of your data and processes, you have to correspondingly expand the reach of your controls," says Tom Doughty, CISO, Prudential Financial (Newark, N.J.; $616 billion in assets under management). "And as the implementation of how you expand those business boundaries changes, the adaptive nature and the reach of your technical controls have to expand at the same time."
The perennial exposure associated with reputational, financial, operational and regulatory risks hasn't changed in its fundamental nature, according to Doughty. But the underlying threats are changing, and the useful life span of a given control measure is potentially much shorter than it has ever been, he notes. In such a shifting environment, "The real risk for us in the security space is complacency," Doughty cautions. "We need to be continually adaptive in terms of how we address those types of business risks with technical solutions."
One of the most-telling security adaptations has been the reorientation from a focus on the network perimeter to a focus on the application layer of technology infrastructure, according to Doughty. "That's not to say that we are not doing everything we used to and that we can do against perimeter threats," he says. "But the bulk of threats and exploits, at least from the outside, is now at the application and business-logic levels."
Long-standing attention to the outer wall has made network-layer attacks somewhat of a "dry well," Doughty says. Perimeter controls have reached a level of maturity that renders network attacks unfruitful for even highly motivated hackers, he explains.
The same cannot be said about deeper application-layer attacks, in which the environment has a less-permanent character and controls are less mature. "There is more-rapid change happening within applications, so we need to be more diligent about maintaining controls in the midst of those changes," Doughty comments. "And there's simply more room for creativity in crafting attacks to exploit application-layer code vulnerabilities or lack of input/output controls."
The shift in orientation of attacks has been dramatic -- conventional wisdom now says that about 80 percent of malicious code and attack signatures are aimed at the application layer, according to Doughty. That's an ominous statistic for companies that put great stock in their perimeter intrusion and detection measures.
"You can count at a very rapid clip how many packets and how many pieces of malicious code you defend away at your perimeter, but it's really like counting raindrops that hit the roof -- it's not a particularly significant number because the controls are so much more effective at the network layer," Doughty remarks. "If you fall into that trap of complacency with your controls of yesterday, you're lulling yourself into a false sense of security if someone is coming through the basement door at the application layer -- that's where we're focusing a great deal of incremental efforts today."
A Culture of Security
Building new technical security competencies and introducing tools into the technology environment are integral aspects of the information security function, but security is more than just dependence on technical measures, Doughty asserts. "While we have to be adaptive with technical solutions, looking backwards from the business problems that are changing at a rapid pace, people in dedicated security roles are not the only ones we depend upon to make that work," he says. "Tools can leverage a culture of security, but they can't create or replace a culture of security."
Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio