Insurance & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Channels

11:35 AM
Anthony O'Donnell
Connect Directly
Facebook
Google+
Twitter
RSS
E-Mail
50%
50%

In The Thick of IT: Chief Information Security Officers Address Broad Risk Management Concerns

As information technology has permeated deeper into the insurance enterprise, today's chief information security officers' reach has expanded and their role has evolved into a broader risk-mitigation function.

As technology has permeated the operations of business units, so have its potential vulnerabilities. As a consequence, business stakeholders need to exercise vigilance about potential security threats. "They are our primary source of intelligence in terms of where the business risk may be moving, at a pace warranting adjustment of technical controls," Doughty elaborates. "We don't want to be in the business of centrally choosing security solutions and then presenting them back to the business, essentially saying, 'Here they are -- go figure out how you're going to fit this control into your business operations.'"

In other words, an operational world that embraces the necessity of business-IT alignment implies the necessity of business-security alignment. "You need to look at security as a business capability within the enterprise, and as an issue for how you invest in applications and manage security for them," remarks John Mullen, vice president within Capgemini's (New York) insurance practice. "It's no longer just an infrastructure issue."

It's inevitable that security would expand out of its traditional back-office role as regulatory and reputational exposures are so closely associated with the newer capabilities that drive success, according to Mullen. Within the new model, the CISO emerges as a consultant to the business -- not as a supplier of background, lights-on capability, but as a partner explaining security as an element of the total cost of ownership associated with the build-out of business capabilities. And if the right kind of communication exists between the business and IT, those costs should be easy for business unit leaders to swallow.

"If I'm running an underwriting book of business and I have a security issue, I'm going to care about that much more than having a piece of functionality available to me," Mullen contends. The bottom line, he adds, is that "the complexity of regulations, applications and technology architecture create the need for the business unit leadership to understand security risks at every point in the game, including appropriate trade-offs of functionality needed to appropriately address those risks."

SOA Security Burden

This is especially the case as business leaders seek to leverage services-oriented architecture (SOA), which has been sold to the business as a means of delivering capability with greater speed at lower cost. Executives have been adequately briefed with regard to the initial costs of moving to SOA from traditional architectural frameworks. But they are less likely to be well-informed about the need to address security risks peculiar to SOA, resulting in added cost and delays, according to Jeromie Jackson, principal security administrator and de facto CISO of San Diego-based ICW Group, a privately owned P&C insurer that operates in more than 40 states through its Insurance Company of the West, Explorer, and Independence Casualty and Surety subsidiaries.

"With SOA enabling IT and the business to be more innovative, you might expect projects to be executed more expeditiously," Jackson says. "But the security ramifications of SOA are going to require a much deeper planning phase."

For starters, the services utilized within SOA are called upon by different parties in a variety of workflows, creating novel access-management challenges, Jackson notes. "For example, you may develop a service for MVRs [motor vehicle records], but in my workflow the security ramifications would be dramatically different than those that would be imposed on an underwriter," he says.

SOA's characteristic interactivity also raises novel auditing challenges. "People who conduct proactive governance in the development of SOA-type applications will need a different skill set," claims Jackson. "They need to understand not only the applications and the servers they reside on, but also the code that is being distributed between the systems," he continues. "Security auditors need to have strong programming foundations in order to be able to effectively assess the environment."

There are, of course, benefits to taking a more up-front approach to security in the application development process as opposed to addressing security as an afterthought. The latter tended to add unforeseen costs to projects, while the former makes those costs more transparent, according to Jackson. Furthermore, the security demands of SOA are likely to provide impetus to driving technology standards into the IT environment and making them stick, he contends.

Anthony O'Donnell has covered technology in the insurance industry since 2000, when he joined the editorial staff of Insurance & Technology. As an editor and reporter for I&T and the InformationWeek Financial Services of TechWeb he has written on all areas of information ... View Full Bio

Previous
2 of 4
Next
Register for Insurance & Technology Newsletters
Slideshows
More Slideshows
Video
All Videos