Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness to Better Protect Assets, Customers, and Employees
Upcoming SlideShare
Loading in...5

Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness to Better Protect Assets, Customers, and Employees



Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the development process.

Transcript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new, heightened security posture that permeates the development process.



Total Views
Slideshare-icon Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness to Better Protect Assets, Customers, and Employees Liberty Mutual Insurance Melds Regulatory Compliance with Security Awareness to Better Protect Assets, Customers, and Employees Document Transcript

    • Liberty Mutual Insurance Melds Regulatory Compliancewith Security Awareness to Better Protect Assets, Customers,and EmployeesTranscript of a BriefingsDirect podcast on how Liberty Mutual Insurance has adopted a new,heightened security posture that permeates the development process.Listen to the podcast. Find it on iTunes. Sponsor: HPDana Gardner: Hello, and welcome to the next edition of the HP Discover Performance Podcast Series. Im Dana Gardner, Principal Analyst at Interarbor Solutions, your moderator for this ongoing discussion of IT innovation and how it’s making an impact on people’s lives.   Once again, were focusing on how IT leaders are improving performance of their services to deliver better experiences and payoffs for businesses and end- users alike. [Disclosure: HP is a sponsor of BriefingsDirect podcasts.] Im now joined by our co-host for this sponsored podcast, Raf Los, who is the Chief SecurityEvangelist at HP Software. Welcome back Raf, how are you? Rafal Los: Glad to be back, Dana.Gardner: And where are you joining us from today, where is your travel taking you?Los: Well we are at the HP Protect 2012, here in beautiful Nashville, Tennessee where the sun isshining and the birds are chirping country music.Gardner: Excellent. We have a fascinating show today, because were going to learn howLiberty Mutual Insurance is building security more deeply into its business, and with that, I’dlike to introduce our special guest, John McKenna, Vice President and Chief InformationSecurity Officer for Liberty Mutual.Welcome to the show, John.John McKenna: Glad to be here.Gardner: Youre both at the HP Protect show in Nashville, so let’s focus on security a bit. Whyis security so important to your business now, and why are you investing heavily?McKenna: It’s pretty clear to us that the world has changed in terms of the threats and in termsof the kinds of technologies that were using these days to enable our business. Certainly, theresPage 1
    • an obligation there, a responsibility to protect our customers’ information as well as making sure that our business operations can continue to support those customers. So, as I said, its the realization that we need to make sure we’re as secure as we need to be, and we can have a very deep discussion about how secure we need to be. In addition to that, we have our own employees, who we feel we need to protect to enable them to work and get the job done to support our customers, whiledoing so in a very secure workplace environment.Gardner: You started off by saying that things are different. You recognized that. How do yougenerally think things are different now than, say, four or five years ago?McKenna: Ill start with just the technology landscape itself. From mobility platforms and socialnetworking to cloud computing, all of those are introducing different attack vectors, differentopportunities for the bad guys to take advantage of.Reducing the threatWe need to make sure that we can use those technologies and enable our business to use them effectively to grow our business and service our customers, while at the same time, protecting them so that we reduce the threat. We will never eliminate it, but we can reduce the opportunities for the bad guys to take advantage. Los: John, you talk about for your customers. From a security perspective, your customers are your external customers as well as internal, correct?McKenna: We absolutely have our internal customer as well. We have partners, vendors,agencies, and brokers that were doing business with. Theyre all part of the supply chain. Wehave an obligation to make sure that whatever tools and technologies we are enabling them with,we’re protecting that as well.Gardner: John, Liberty Mutual, of course, is a large and long-time leader in insurance. Tell usabout the breadth and depth of your company. I imagine youre quite dispersed, as well, as withmany different lines of services. Help us understand the complexity that youre managing, whenit comes to bringing security across this full domain.McKenna: Were a global company in the Fortune 100 list. We have $35 billion in revenue andwe have about 45,000 employees worldwide. We offer products across the personal andcommercial lines products, or P&C, and life insurance products. We’ve got somewhere inthe range of 900-plus offices globally.Page 2
    • So we’ve got lots of people. We’ve got lots of connections and we’ve got lot of customers andsuppliers who are all part of this business. It’s a very complex business operation, and there are alot of challenges to make sure that were supporting the customers, the business, and also theprojects that are continually trying to build new technology and new capabilities.Gardner: Raf, when we talk about what’s different in companies, one of the things Im noticingthat I think is pretty important when it comes to security, is that in the past, security was reallysomething that was delegated and was an afterthought in some respect.But Im seeing a lot of companies now that, when theyre planning new products and services,start asking those questions right-away. Is this something we can deliver securely? Should webring this product to market in this way, when security concerns or privacy concerns aresomething that we need to consider for our brand, and our employees’ and our supply chain’sprotection?It seems to me that security is now a thought right at the very beginning of planning for newservices. Is that the case in your travel?Los: That’s what Im seeing, and theres still the maturation that’s happening across the enterprisespectrum where a lot of the organizations -- believe it or not, in 2012 -- are still standing upformalized security organizations.Not a givenSo security is not a given yet, where that the department exists, is well-funded, well-staffed, and well-respected.Youre getting to that state where security is not simply an afterthought or as it was in an organization in my past job history a decade ago or so. In those types of companies, they would get it done and the say, "By the way, security, if you take a look at this before we launch it, make sure it’s given virtual thumbs up. You’ve got about 20 minutes to go." If you can get away from that, it’s really about security teams stepping up and demonstrating that they understand the business model and that theyre there toserve the organization, rather than simply dictate policy. It’s really a process of switching fromthis tight iron-grip on control to more of a risk model.Its sort of a cliché, but IT technology risks understanding acceptance and guidance. I think that’swhere it’s starting to win over the business leaders. It’s not that people don’t care about security.They do. They just don’t know they do. It’s up to us to make sure that they understand thecontext of their business.Gardner: John, is that ringing true for you at Liberty Mutual, where there is a more concern andthought put into security as youre bringing products and services to market and as youreconsidering what new products and services to bring to market?Page 3
    • McKenna: It absolutely is. It goes from the top on down. Our board certainly is reading theheadlines every day. Where there are new breaches, their first question is, "Can this happen tous?"So it certainly starts there, but I think that there absolutely is an appreciation at our strategicbusiness units, the leadership, as well as the IT folks that are supporting them, that as wererolling out new capabilities, we have a responsibility to protect the brand and the reputation. Sotheyre always thinking first about exactly what the threats and the vulnerabilities might be andwhat we have to do about it.We’ve got a lot of programs underway in our security program to try to train our developers howto develop application, secure coding practices, and what those need to be. We’ve got lots ofwork related to our security awareness program, so that the entire population of 45,000employees has an understanding of what their responsibilities are to protect our companysinformation assets.I will use a term used by a colleague that Raf and I know. Our intent is not to secure the company100 percent. That’s impossible, but we intend to provide responsible defenses to make sure thatwe are protecting the right assets in the right way.Los: That’s very interesting. You mentioned something about how the board reads the headlines,and I want to get your take on this. Im going to venture a guess. It’s not because you’vemanaged to get them enough paper, reams of paper with reports that say we have a thousandvulnerabilities. It’s not why they care.Quite a challengeMcKenna: Absolutely right. When I say theyre reading the headlines, theyre reading what’shappening to other companies. Theyre asking, "Can that happen to us?" Its quite a challenge -- achallenge to give them the view, the visibility that is right, that speaks to exactly what ourvulnerabilities are and what we are going about it. At the same time, Im not giving them a reportof a hundred pages that lists every potential incident or vulnerability that we uncovered.Los: In your organization, whose job is it? We’ve had triangulation between the technicalnomenclature, technical language, the bits and bytes, and then the stuff at the board actuallyunderstands. Im pretty sure SQL injection is not something that a board member wouldunderstand.McKenna: Its my job and its working with my CIO to make sure that we are communicating atthe right levels and very meaningfully, and that we’ve, in fact, got the right perspective on thisourselves. You mentioned risk and moving to more of a risk model. Were all a bit challenged onmaturing, what that model, that framework, and those metrics are.Page 4
    • When I think about how we should be investing in security at Liberty Mutual and making thebusiness case, sometimes its very difficult, but I think about it at the top level. If you think aboutany business model, one approach is a product approach, where you get specific products andyou develop go-to-market strategies around those.If you think about the bad guys and their products, either theyre looking to steal customerinformation, they are looking to steal intellectual property (IP), or theyre looking to just shutdown systems and disable services. So at the high level, we need to figure out exactly where wefit in that food chain? How much bigger risk are we at at that product level?Gardner: Ive seen another on-ramp to getting the attention and creating enough emphasis onthe importance of security through the compliance and regulation side of things, and certainly thepayment card industry (PCI) comes to mind. Has this been something thats worked for you atLiberty Mutual, or you have certain compliance issues that perhaps spur along behaviors andpatterns that can lead to longer-term security benefit?McKenna: Were a highly regulated industry, and PCI is perhaps a good example. For ourpersonal insurance business unit, weve just achieved compliance through QSA. We’ve workedawfully hard at that. It’s been a convenient step for us to address some of these foundationalsecurity improvements that we needed to make.Were not done yet. We need to extend that and now were working on that, so that our entiresystems have the same level of protections and controls that are required by PCI, but evenbeyond PCI. Were looking to extend those to all personal identifiable information, any sensitiveinformation in the company, making sure that those assets have the same protections, the samecontrols that are essential.Gardner: Raf, do you see that as well that the compliance issues are really on-ramp, or anaccelerant, to some of these better security practices that weve been talking about?Los: Absolutely. You can look at compliance in one of two ways. You can either look at acompliance from a peer’s security perspective and say compliance is hogwash, just a checkboxexercise. There’s simply no reason that its ever going to improve security.Being an optimistOr you can be an optimist. I choose to be an optimist, and take my cue from a mentor of mineand say, "Look, its a great way to demonstrate that you can do the minimum due diligence,satisfy the law and the regulation, while using it as a springboard to do other things."And John has been talking about this too. Foundationally, I see things like PCI and otherregulations, HIPAA, taking things that security would not ordinarily get involved in. For,example, fantastic asset management and change management and organization.Page 5
    • When we think security, the first thing that often we hear is probably not a good changemanagement infrastructure. Because of regulations and certain industries being highly-regulated,you have to know whats out there. You have to know what shape its in.If you know your environment, the changes that are being made, know your assets, your cycles,and where things fall, you can much more readily consider yourself better at security. Do youbelieve that?McKenna: Its a great plan. I think a couple of things. First of all, about leveraging compliance,PCI specifically, to make improvements for your entire security posture.So we stepped back and considered, as a result of PCI mapped against the SANS Top 20 cybersecurity controls, where we made improvements. Then, we demonstrated that we madeimprovements in 16 of the 20 across the enterprise. So thats one point. We use compliance tohelp and improve the overall security posture.As far as getting involved in other parts of the IT lifecycle, absolutely -- change management,asset management. Part of our method now for any new asset thats been introduced intoproduction, the first question is, is this a PCI-related asset? And that requires certain controls andmonitoring that we have to make sure are in place.Los: That one question probably kicks off more security conversation than you would ever havebefore.McKenna: Right, absolutely agree with you.Gardner: Im also looking at this larger theme of whats different now than, say, five years ago? Ioften hear that the types of threats are different. You mentioned the types of bad guys aredifferent. We often hear now more about nation-states being involved rather than college studentsbeing mischievous.I know it’s going to vary by company to company, in vertical industry by industry, but do yousense that youre dealing with a different type or higher level of sophistication when it comes tothreats now, John?Level of sophisticationMcKenna: Were certainly dealing with a higher level of sophistication. We know that. Wealso know that there is a lot we dont know. We certainly are different from some industries. Wedont see that were necessarily a direct target of nation-states, but maybe an indirect. If were partof a supply chain that is important, then we might still get targeted.Page 6
    • But my comment to that is that weve recognized the sophistication and weve recognized that wecant do this alone. So weve been very active, very involved in the industry, collaborating withother companies and even collaborating with universities.An effort weve got underway is the Advanced Cyber Security Center, run out of Boston. Its apartnership across public and private sectors and university systems, trying to develop ways wecan share intelligence, share information, and improve the overall talent-base of and knowledgebase of our companies and industry.Gardner: Raf, rising sophistication of security threats.Los: This is something thats been building. When we started many years ago, hacking was acuriosity. It moved into a mischief. It moved into individual gains and benefits. People wereshowing off to their girlfriend that they hacked a website and defaced it.Those elements have not gone away, by the way, but weve moved into a totally new level ofsophistication. The reason for that is that organized crime got involved. The risk is a lot higher inperson than it is over the Internet. Encrypting somebodys physical hard drive and threatening tonever give it back, unless they pay you, is a lot easier when there is nobody physically standingin front of you who can pull a gun on you. Its just how it is.Over the “Internet,” there is anonymity per se. There is a certain level of perceived anonymityand its easier to be part of those organized crimes. There are entire cultures, entire markets, andstrata of organized crime that get into this. Im not even going to touch the whole thing onactivism and that whole world, because that’s an entirely different ball of wax.But absolutely, the threat has evolved. Its going to continue to evolve. To use a statement thatwas made earlier this morning in a keynote by Bruce Schneier, technology is often adapted bythe bad guys much faster than it is with good guys.The bad guys look at it and say, "Ooh, how do we utilize it?" Good guys look at a car and say, "Ican procure it, do an RFP, and it will take me x number of months." Bad guys say, "That’s ourgetaway vehicle." It’s just the way it works. Its opportunity.Gardner: So not only more sophistication, but more types of attacks and let’s say a speediertime to risk.Los: It’s less risk and more reward, and that’s what everybody whos “bad” wants.Insurance approachGardner: I want to go out on a limb a little bit here and only because Liberty Mutual is a largeand established insurance company. One of the things that I’ve been curious about in the field ofsecurity is when an insurance approach to security might arise?Page 7
    • For example, when fire is a hazard, we have insurance companies that come to a building andsay, "Well insure you, but you have to do x, y and z. You have to subscribe to these practices andyou have to put in place this sort of infrastructure. Then, well come up with an insurance policyfor you." Is such a thing possible with security for enterprises. Maybe you’re not the rightperson, John, but I am going to try.McKenna: It’s an interesting discussion, and we had some of that discussion internally. Whyaren’t we leveraging some of the practices of our actuarial departments, or risk assessors that areout there working our insurance products?I recently met with a company that, in fact, brokers cyber insurance, and were trying to learnfrom them. This is certainly not a mature product yet or mature marketplace for cyber insurance.Yet theyre applying the same types of risk assessments, risk analysis, and metrics to determineexactly what a company’s vulnerabilities might be, what their risk posture might be, and exactlyhow to price a cyber insurance product. Were trying to learn from that.Gardner: So, Raf, an interesting concept.Los: Yeah, it is. As you were talking, I kept thinking that my life insurance company knows howmuch they charge me based on years and years and years and years of statistical data behindsmokers, non-smokers, people who drive fast, people who are sedentary, people who workout,eat well, etc. Do we have enough data in the cyber world? I don’t think so, which means this is areally interesting game of risk.McKenna: It’s absolutely an interesting point. The fact that you don’t have the metrics is oneside of this. It’s very difficult to price. But the fact that they at least know what they should bemeasuring to come up with that price is part of it. You need to leverage that as a risk model andfigure out what kind of assumptions youre making and what evidence can you produce to at leastverify or invalidate the model.Los: On the notion of insurance, I can just think of all the execs that have listened to that, if it’sthat insurance,saying, "Great. That means we don’t have to do anything, and if something badhappens the insurance will cover it." I can just see that as a light bulb going on over somebody’shead.Gardner: It’s not the way it’s going to work. What’s going to happen is, if you don’t do that, youwon’t be able to get insurance and the companies that have insurance and that have best practicesare going to win in the market. So I don’t think that’s too much of a risk, because that’s not theway any other insurance works either, right John?McKenna: That’s exactly right, yeah.Los: I do hope it goes that way. That’s really a good driving force though.Page 8
    • McKenna: Again, were just trying to learn from it, to understand how we should be assessingour own risk posture and prioritizing where we think the security investment should be.Whats the benchmark?Gardner: If you take lots of risks, you pay more for insurance. The only question is what youbenchmark against. What is good enough? Or do you benchmark against peers and how readilywill your peers share data with that insurance company? That’s a dangerous topic.Gardner: Ill just offer one insight on that -- the log data. If youre an insurance company, youwant to find out what the posture of a company is, you have access to big data analysis, and youget access to the log data, you might have a good opportunity to provide more of an empiricalview on a company’s posture than they are able to do, and therefore create a value-added service.But that’s just an off-the-cuff observation.McKenna: I think the challenge is, as Raf mentioned, whether we have the data or the evidence.We have years and years and years of history around vehicle accidents, etc. We don’t necessarilyhave all the correlations of data with log data and security data that would enable us to paintthose historical patterns and understand them.Los: That’s what I’d be worried about. The causality between, if you do this, take this kind ofrisk, this is the likely outcome. Im not sure we completely understand causality quite yet.Gardner: Let’s move on to one other area before we close off, and that would be other future-of-security trends or possibility. We brought one into the fold, which is this notion of insurance, butis there anything else for you, John, that’s interesting or hopeful in terms of the future of securityand risk avoidance?McKenna: In part this may be why I was put in this position. I have less of a technical securitybackground and more an understanding of our business and how to make business decisions.Were getting much more direct engagement of our business partners or business units in helpingus to assess risk and make decisions.That is something that were still continuing to work on and we’ve seen some progress there,very good progress. I think well see even more progress, so that in fact, all of our, or most of oursecurity decisions, whether it’s investment or risk tolerance levels, are really rooted in a businessposition.Gardner: Raf, last word to you, any other concepts for you coming down of interest in terms ofwhere this is heading?Page 9
    • Away from the siloLos: Security is moving in this direction already, but I think it’s going to continue to moveaway from being a silo in the enterprise. Its something that is fundamental, a thread through thefabric. The notion of a stand-alone security team is definitely becoming outdated. It’s a modelthat does not work. We demonstrated that it does not work.It cannot be an afterthought and all the fun clichés to go with it. What youre going to start seeingmore and more of are the nontraditional security things. Those include, as I said, like I saidchange management, log aggregation, getting more involved into business day to day, andactually understanding.I cant tell you how many security people I talk to that I asked the question, "So what does yourcompany do?" And I get that brief moment of blank stare. If you can’t tell me how your companysurvives, stays competitive, and makes money, then really what are you doing and what are youprotecting, and more importantly, why?That’s going to continue to evolve, it’s just going to separate the really good folks, like John, thatget it from those who are simply pushing buttons and hoping for the best.Gardner: Im afraid we’ll have to leave it there, and with that let me please thank our co-host,Rafal Los, the Chief Security Evangelist at HP Software. Thank you so much.Los: Thanks for having me again.Gardner: And I’d also like to thank our supporter for this series, HP Software and remind ouraudience to carry on the dialogue with Raf through his blog and also the Discover PerformanceGroup on LinkedIn.I’d also like to extend a huge thank you to our special guest, John McKenna, Vice President andChief Information Security Officer for Liberty Mutual. Thanks so much, John.McKenna: Thank you. This was fun, enjoyed it.Gardner: And you all can gain more insights and information on the best of IT performancemanagement at And you can also always access thisanother episode in our HP Discover Performance podcast series on iTunes under BriefingsDirect.Im Dana Gardner, Principal Analyst at Interarbor Solutions, your co-host and moderator for thisongoing discussion of IT Innovation and how it’s making an impact on people’s lives.Thanks again for listening, and come back next time.Listen to the podcast. Find it on iTunes. Sponsor: HPPage 10
    • Transcript of a BriefingsDirect podcast on how insurance company Liberty Mutual has adopteda new, heightened security posture that permeates the development process. CopyrightInterarbor Solutions, LLC, 2005-2012. All rights reserved.You may also be interested in: • Heartland CSO Instills Novel Culture That Promotes Proactive and Open Responsiveness to IT Security Risks • Security Officer Sees Rapid Detection and Containment as New Best IT Security Postures for Entperprises • Investing Well in IT With Emphasis on KPIs Separates Business Leaders from Business Laggards, Survey Results Show • Expert Chat with HP on How Better Understanding Security Makes it an Enabler, Rather than Inhibitor, of Cloud Adoption • Expert Chat with HP on How IT Can Enable Cloud While Maintaining Control and GovernancePage 11