With more data than ever being loaded into systems, protecting it has become the law. But to achieve truly effective information security, insurers find they must go beyond regulatory compliance and leverage the partnership of IT and business. By Michael P. Voelker

Yet for the most part, people agree regulations have been a benefit for both consumers and the businesses that need to comply. From a security practitioners standpoint, [the regulations] are a good thing. They bring up the companies that havent done an adequate job to at least a minimum level. Those that are not adequately secured present a risk to us, because their systems usage can be detrimental if they are used for propagating viruses, spam, or denial-of-service attacks, says Bonsall.

Insurers also must avoid making the assumption that regulatory compliance equals information security. [Companies] complying with audits and satisfying the acts are not necessarily improving security in their organization, says Bob Kramer, vice president of public policy at the Computing Technology Industry Associa-tion (CompTIA). Thats not to say organizations arent improving security, but its not because the acts have had a cause and effect.

In part, thats because legislation creates only a lowest common denominatorthe minimum companies must do to avoid fines or other legal action. Whereas information security is a continually fluid situation, with insurers facing new threats daily, regulations are relatively static and may not address adequately, or quickly enough, the security landscape.

Simply being compliant with any particular regulation defeats the purpose, because [laws] will change over time, says Ioana Carastan, manager in Accentures security practice. New legislation will come out to fix problems with existing laws. So if youre just compliant with law X and you spend a lot of money to get there, when law Y comes out that adds more requirements, youll spend more money to get there again.

Therefore, creating a comprehensive holistic security practice that will by its nature also be compliant with regulations should be carriers ultimate goal. The regulations were a wake-up call, but good carriers realize information security is important not only to comply with regulations, but because its good for business, Carastan says. Insurance companies rely on having a lot of happy customers.

Yet leveraging security as a competitive differential still is uncommon and relatively abstract compared to the more tangible issues of price and service that are carriers traditional selling points. Additionally, while it might be intuitive to those in IT that providing information security beyond the requirements of regulation is important, it is not necessarily so to those on the business side.

A big part of our role is to be the champion [of information security], Bonsall says. Weve spent a lot of time over the past two years getting out and meeting with all the senior business people to talk about security and privacy. For example, this year MassMutuals security department presented a seminar on the governance of cyber space, where staff members detailed their interpretation of regulations on MassMutuals e-commerce initiatives.

Each organization must be aware of security as part of its business model, says Tom Santaniello, U.S. public policy manager at CompTIA. Every CISO Ive spoken with has reiterated there is not just one magic [technology] bullet to security. It has to be a cultural adoption throughout organizations, and they have to recognize the ROI of security programs.

Security ROI?

At its most fundamental level, the return on investment of security projects and technology is they allow a company to keep operating. People wont do business with you if you cant keep a secret, says F. Christian Byrnes, vice president and director of security infusion at META Group.

But in todays ROI-driven environment, that may not be enough to move security toward cultural adoption rather than an install it and forget it project. In hard dollars, in terms of whats my return on this particular use of capital, youre going to have a hard time doing it, says John Sarich, insurance industry marketing manager in the consulting practice at FileNet. It can enable me to keep up with my competitors, to serve my agents better, to retain business, to serve customers better. But those types of things are soft and qualitative [returns].

A problem is, however, by virtue of their emphasizing compliance over effect, regulations have shifted the way in which security projects are viewed toward being fine-avoidance initiatives rather than cost-cutting or even revenue-generating efforts. The real issue for some companies is, What are the consequences of not doing something, of not spending on security plans? Then, how does that compare to the cost of [spending on those plans]? Santaniello asserts.

Traditional ROI calculations are even more complicated because the cost of not doing something is contingent on a security breach actually occurring, and that adds an unknown into the equation. I can point to all kinds of [vulnerability] statistics, Carastan says. But ultimately, I can talk only about probabilities, and its a hard sell.

One might expect insurers, which make their living off risk-assessment decisions, would have an easier time accepting a probability-of-loss argument for information security. Yet Carastan explains, They understand the concept better, but because theyre so used to quantifying and accepting risk, it almost hurts [business acceptance], particularly if its an insurance company that deals in higher-risk individuals. To them, a 20 percent probability of [a security loss] is nothing.

There are, however, exceptions to the difficulty of calculating hard-dollar ROI on security projects, the most significant being identity and access management technologies. Companies have done identity management so poorly, Byrnes explains. Typically when youre hired into a company, you need between 15 and 30 different computer accounts established. And there may be 15 to 30 different people managing those. When you quit, you need to go through and close those individually. Weve seen companies reduce 10 full-time equivalent positions with just a 60-day investment.

AXA Financial, for example, looked to streamline the various procedures and in-house-developed systems it had in place to manage securely thousands of internal employees and associates as well as hundreds of thousands of external clients, according to Lee Tung, managing director at the insurer. In May 2003, the company completed deployment of NetPoint, an identity management and Web access control solution from Oblix. Tung reports the system links users, applications, and access permissions; automated workflow processes in Oblix allow AXA Financial to manage and control the steps in provisioning and deprovisioning access and to provide the auditing capabilities required for regulatory compliance.

Although system costs were not available, Tung says the business impact of the system was a key consideration in its purchase. This impact has been felt even in the short time since the system has been in place and even though all capabilities of the previous access management system have not yet been rolled to NetPoint.

We have seen improvement in administrative efficiencies. For example, weve been adding applicationsabsorbing Siebel and new sales distribution [systems]without having to add administrative support to grant access to these systems, Tung says. Weve absorbed the costs of the new implementation with the same head count. With the same staff, we can do more.

More Than Technology

In addition to changing their view of security as only a regulatory-compliance exercise and overcoming the difficulty of calculating ROI on security projects, insurers also have struggled to view information security as more than a technology initiative. Carastan says this struggle is understandable. What do business people [see] as the manifestations of security problems? You get hacked, your Web site is defaced, your database is exposed. They see that as a technology problem. So theyll go find the best technology person they can find, make that person the security officer, and say, Fix my problem.

But addressing only the technological security of information is a myopic view that overlooks the business necessity of that information. Im not interested in protecting the computer for the computers sake, says Bonsall. The computers are in a bomb-proof room humming quietly along, and we could just lock everything up and not allow any packet across the wire. Then wed be really secure.

To find an effective balance between absolute security and unfettered information use, MassMutual has worked to evaluate security on the enterprise level, both to determine what level of risk may be acceptable and to better understand the human component of security. If one manager decides hes willing to accept all kinds of risk and put our name at risk, hes assumed more risk than the enterprise is willing to take, Bonsall explains.

Stay Alert

Information security experts know insurers should never rely solely on technology to protect the security of their key data. Since all the network security in the world is completely useless if a poorly trained call center representative gives confidential information to someone he or she shouldnt, some insurers have looked for ways to help reduce human error and ensure compliance with security regulations.

For instance, when property/casualty insurer Security Mutual set out to develop a new policy administration system, called Acies/one, with longtime development partner Insurance Data Processing (IDP), one of the key requirements was the system would provide alerts about which customers had opted out of the disclosure of personal information. According to Marielen Leonard, production systems manager at Security Mutual, staff previously would have to refer to filed notes regarding what kind of information could be released, toggling between the administration system and a separate imaging system to look for annotations and customer opt-out requests.

With the new system, alerts regarding nondisclosure of certain types of information are displayed directly on the policy information screens. Now, were looking in one place, Leonard says.

Security Mutuals design requirement points to the fact that in todays regulatory environment, security must be considered an integral part of system architecture and not an add-on. If you just slap in new technology, and its inconvenient and painful, Carastan says, it will fail.

However, she maintains the concept of integrating security into project design and development is a relatively new concept. Up until two or three years ago, you couldnt find a single university that had security baked into its [technology] programs out there. We just now are starting to see security being offered as a minor, or at least as its own separate classalthough it still is generally an elective, Carastan says.

Lack of Training

This historical lack of security training has resulted, she says, in a current crop of IT staff for which security is not necessarily top of mind in system design. Therefore, insurersand other companies, for that mattermay need to invest in security-coding training for existing staff members as they work toward establishing regulatory compliance and holistic security practices. Consider, for example, even Microsoft reportedly ceased work on the production of its Windows Server 2003 while developers trained for 10 weeks in writing secure code.

To complicate matters, engineers often are faced with system design requirements from staff that does not know what security issues should be addressed, either. Developers are given requirements, and theyre always functional requirements: Our system needs to do these five things, and you have a month to do it. The designer is going to take some shortcuts to get things done faster and therefore build vulnerabilities into that system. There needs to be a process whereby you start the design of the process by talking to the security staff to get design specs upfront, just like you talk to the network and the DBA staff, says Carastan.

It is essential, therefore, IT take a proactive approach in establishing security as part of every system design. At MassMutual, for example, the security team is part of system development. Were always trying to insert ourselves earlier in the life cycle of applications, and recently weve implemented a process where sign-offs are required on new applications, new outsourcing arrangements, and on purchases of new applications, explains Bonsall. Security approvals are required in the design phase, the architecture phase, and in preproduction systems inspection, he reports.

While some view information security too much as a technology problem, others conversely have failed in their security efforts by viewing it as a compliance-only problem and choosing a manager with no technology background to lead the security department. Says Carastan, Security is a highly specialized field, and not all companies recognize that. Companies underestimate the knowledge required to manage information effectively from all aspects, not just regulatory compliance.

Right now we have a lot of regulatory angst among companies trying to comply with Sarbanes-Oxley, GLB, and HIPAA, Byrnes says. But the angst is coming from the vertical industry segments that havent dealt with [regulation]. I know of a few insurers that are behind the eight ball, but for the most part, the industry is fine-tuning as a result of regulations. Healthcare in particular is most impacted because of HIPAA, but its also the most responsive and most advanced.

Generally, insurers do well because theyre a conservative underwriting organization, says William Fournell, vice president in Cap Gemini Ernst & Youngs financial services consulting group. That has allowed them to adapt to some of the new security regulations better than in other industries.

Perhaps what best prepares insurers to address information security, though, is the continued vigilanceand inherent suspicionof their security staff.

I still have this nagging fear, in the background, that people [continue to be] too complacent, Bonsall says. Because most people are good and honest, they dont envision bad things happening. But the reality is not everyone is good and honest, and we have to take steps to protect ourselves against them.