Skip Links

Network World

  • Social Web 
  • Email 
  • Close

(Comma separation for multiple addresses)
Your Message:

Why MassMutual's security chief doesn't have to outrun bears

Financial firm's security lead sets policies, educates users and ensures his infrastructure is more secure than the competition's
By Denise Dubie , Network World , 02/28/2007
  • Share/Email
  • Tweet This
  • Comment
  • Print

Bruce Bonsall, security lead at MassMutual Financial Group since 1991, says one of the best changes in the financial industry over the years has been increased collaboration to fight IT threats. That's not to say, though, that he doesn’t want his company's level of security to be a differentiator. "There is an old saying that explains if you are hiking in the woods with a friend and a bear attacks, you don’t have to be able to outrun the bear, you just have to be able to outrun the friend," says the CISO for the Springfield, Mass., company. "If we have better security than the company down the street, then it's more likely they are going to get attacked." Bonsall, who has 50 people in his charge and oversees management of some 3.4 million identities, recently shared more of his thoughts on network security with Network World Senior Editor Denise Dubie.

Getting personal:Bruce Bonsall

Organization: MassMutual Financial Group
Title: Vice President and Chief Information Security Officer (has managed the MassMutual security team since 1991).
Responsibilities: With 19 years of experience managing large-scale corporate information security programs, Bonsall is responsible for all aspects of information security for MassMutual. Bonsall and his team set strategy, establish and enforce policies, manage security infrastructure, maintain over 3.4 million identities and consult on hundreds of projects throughout the enterprise each year. Much of Bonsall's focus over the past few years has been in the area of security governance and regulatory compliance.
Staff size: 50
Annual budget: Undisclosed
Previous jobs: Security Analyst, Monarch Systems Group 
Education: Associates degree in civilÊ engineering from Springfield Technical Community College 1982.
If he wasn't in IT he'd be: Writing spy novels
Claims to fame: Winner of 2006 National Information Security Executive of the Year Award; Certified Information Systems Security Professional (CISSP), since 1997.
Fun fact: Loves outdoor sports. "Navigating rapids in a kayak is like navigating corporate politics. You have to know when to go with the current and know when to paddle like hell!"
Click to see: Bruce Bonsall's background

What projects top your priority list for 2007?

Our priorities fall along a couple of lines. One is automating a lot of the manual work that we do, particularly in the identity management area in terms of adding IDs to all the systems and setting up all the access that people need. The reason we need to automate is that although we are very good at [ID management], we have grown to the point where we just can't scale. We could keep throwing bodies at it, but I think through automation we will be a lot more nimble. The company is in growth mode, and we'd like to be in a position where we can acquire other companies and bring them on board quickly. If we have to do that manually, it can really hinder our growth.

Are you looking into any new technologies to help secure the infrastructure?

Another area is really improving our ability to manage the business of information security. Up until recently we have been focused on the tactical implementation of countermeasures and defenses to deal with threats and new technologies. We have put on layer upon layer of firewalls, intrusion detection and access controls. But now we have to be able to manage all those pieces of technology and be able to get a holistic picture of our security posture at any given time. You typically hear this referred to as security information management. We are instrumenting a lot of our technologies so that we have dashboards and scorecards to help us get a clear picture of how we are managing security. The whole idea is to manage risk. You need to understand what all your assets are, how valuable they are to you, how threatened they are and then formulate some set of priorities as to where to invest your security dollars. And it changes literally from second to second when threats rise and fall so you have to be able to adapt.

  • Share/Email
  • Tweet This
  • Comment
  • Print

Comment
Login
Forgot your account info?
Add comment
Anonymous comments subject to approval. Register here for member benefits.
Have a NetworkWorld account? Log in here. Register now for a free account.

Videos

rssRss Feed