In today's environment, it takes more than technical expertise to run a secure insurance enterprise. Regulatory and transparency requirements dictate secure treatment of customer data and proprietary processes. Allstate's (Northbrook, Ill.; $94 billion in total assets) chief information security officer, Kim Van Nostern, encompasses the right blend of expertise, having spent more than 25 years at the carrier working in both IT and operations.
Q: How does your MBA and your experience on the business side of Allstate help you on the information security side?
Van Nostern: I have grown up for the last 20-something years in the IT part of Allstate's business. But even though most of my experience was in technology, I have been in different parts of the insurance business as well. I was the operations manager for Allstate Motor Club, and I was also in the Los Angeles metro area working for the regional vice president there, with the agency force, mainly on technology issues. But I've had a lot of experience working with and understanding the business that we're in. I think that's been an incredible benefit, because not only do I understand the technology, but I also understand the financial services business and the protection business. That really gives me a leg up as the CISO to be able to relate what we do from an information security standpoint with the business imperative.
Q: How does a firm move to a security model that focuses on risk management to solve security problems?
Van Nostern: What you have to do is focus more on the compliance and governance side, or at least be as focused on that part of the business as you are on the technical part. We built a compliance organization just in the last year and a half. We have very much focused our efforts on assessing our vendor security controls, because of things like GLB [Gramm-Leach-Bliley] and Sarbanes-Oxley and the new California 1386 Senate Bill. We have had to make a conscious choice to build that organization to deal with these new issues.
Q: How do you prioritize which regulations you will comply with first?
Van Nostern: I would like to say that we can think three years out and be very proactive, but the bottom line is that HIPAA [Health Insurance Portability and Accountability Act] came out with a deadline in April for security controls, so we made HIPAA a priority. Identity theft and customer privacy - things like the ChoicePoint incident - forced us to assess our vendors on how they protect our customer data. Those incidents are becoming more and more widespread, so we are very driven to figure out if the vendors we share data with are protecting our data. That's a big priority for us. GLB was the first regulation to come out, and that was the initial priority, and then HIPAA, and now risk management.
Q: Does the deployment of assessors and adjusters to disaster areas create any special security issues?
Van Nostern: With remote workers, it is definitely a little more difficult from a security perspective to make sure they are patched and do not bring something into the network when they connect. So, yes, I would say that remote workers represent additional challenges for us compared with someone who is connected all the time on the corporate network. We are very diligent about scanning to ensure that anyone coming into the network has the most current releases of patches required. We are working on implementing what we call "patch jail," which means if they don't have the patches, they go into a quarantine area until they download the patch or we update them.
Q: Allstate's information security shop has more than 80 staffers. How did you convince management to invest so much in infosecurity?
Van Nostern: I wish I could say that we had to do a lot of work. But I can't say that. What I can say is that our CTO, Cathy Brune, gets it. She understands the need for information security, and she has said many times that we don't care about an ROI in security. We know what we need to do. Yes, we have to talk about why we're doing things, but she and Ed Liddy, our CEO, understand our need for information security, and therefore we have the ear of the executives in this company to get the funding for what we need to get done.
Now, I don't think 86 people is a lot of people, out of more than 4,000 technology people across the company. It's never enough. We have had to build a compliance and governance organization just with the new privacy regulations and HIPAA and GLB, and we have the Allstate Bank, so we have to provide security resources there.
Many companies have a core group of 10 to 12 corporate people and then distribute information security out to the businesses. We don't handle it that way. We don't distribute our information security.
Courtesy of Secure Enterprise.