Bruce Bonsall, security lead at MassMutual Financial Group since 1991, says one of the best changes in the financial industry over the years has been increased collaboration to fight IT threats. That's not to say, though, that he doesn’t want his company's level of security to be a differentiator. "There is an old saying that explains if you are hiking in the woods with a friend and a bear attacks, you don’t have to be able to outrun the bear, you just have to be able to outrun the friend," says the CISO for the Springfield, Mass., company. "If we have better security than the company down the street, then it's more likely they are going to get attacked." Bonsall, who has 50 people in his charge and oversees management of some 3.4 million identities, recently shared more of his thoughts on network security with Network World Senior Editor Denise Dubie.
|
What projects top your priority list for 2007?
Our priorities fall along a couple of lines. One is automating a lot of the manual work that we do, particularly in the identity management area in terms of adding IDs to all the systems and setting up all the access that people need. The reason we need to automate is that although we are very good at [ID management], we have grown to the point where we just can't scale. We could keep throwing bodies at it, but I think through automation we will be a lot more nimble. The company is in growth mode, and we'd like to be in a position where we can acquire other companies and bring them on board quickly. If we have to do that manually, it can really hinder our growth.
Are you looking into any new technologies to help secure the infrastructure?
Another area is really improving our ability to manage the business of information security. Up until recently we have been focused on the tactical implementation of countermeasures and defenses to deal with threats and new technologies. We have put on layer upon layer of firewalls, intrusion detection and access controls. But now we have to be able to manage all those pieces of technology and be able to get a holistic picture of our security posture at any given time. You typically hear this referred to as security information management. We are instrumenting a lot of our technologies so that we have dashboards and scorecards to help us get a clear picture of how we are managing security. The whole idea is to manage risk. You need to understand what all your assets are, how valuable they are to you, how threatened they are and then formulate some set of priorities as to where to invest your security dollars. And it changes literally from second to second when threats rise and fall so you have to be able to adapt.
What do you consider the biggest threat in information security?
It is really the trend toward more sophisticated attacks, the blended threats and the multivector attacks. The bad guys are getting more and more sophisticated, and they are getting more and more targeted. In the past, it seemed a lot of attacks and probings were really kind of random, but now they are targeting the financial sector in particular. They are looking for identities to pharm.
Are there any technologies that protect more than others against such unknown threats and targeted attacks?
Patching system vulnerabilities is one of the most important aspects of this. Most of these attacks are leveraging some known vulnerability. Unfortunately the end user is becoming the target more often, and keystroke loggers are being used to capture passwords. I can only patch MassMutual's systems, and we have to educate our users so they patch their own.
How do you stay ahead of all the patching cycles from various vendors?
We have tools we are working with now, in the implementation phase, for what I call compliance monitoring. We are trying to make sure we are complying with our own standards on configuration. We have software vulnerability scanners, systems and network scanners. We scan everything.
How do you get end users and customers to protect their information when it's out of your hands?
That's a tough one. Not only do I have to educate our home-office population and the agency field force — which is spread out across the country — but now we have to communicate with our customers because they are actually part of our extended network. For instance, when they use their PCs at home to check their 401(k) account, if their PC has been compromised then they are at risk when they are using our systems. We're working with our marketing and client services departments to provide them with talking points. For instance, the TJX situation brought in quite a few inquiries to our call centers about how MassMutual protects against that specific sort of thing.
How do you balance new technology adoption against security concerns?
If a tool gains enough popularity with the masses that it's inevitable then you can't really resist it. We have to be a little bit forward-looking and pay a lot of attention to technology and the adoption rate of technology. There are times when we will say we don't recommend the use of certain technologies in certain capacities. For instance, voice over IP is one of those things that if we use it on our internal campus network where the security is much greater then I don’t have a problem with it. But using VoIP over the public Internet is something we might resist a little bit.
Are you waiting for standards to mature?
What we have seen is that when protocols are new they tend to be a little bit imperfect, the controls tend not to be there and the security tends not to be as robust. From a security practitioner's standpoint lagging behind the bleeding edge tends to be a much more comfortable place to be. But when we know the business is chomping at the bit to use some technology then we need to rise to the occasion and figure out the best way to control it and what policies to set.
What is your take on the emerging network access control (NAC) technologies from vendors such as Cisco and Microsoft?
There are a lot of vendors selling products in that area and we are evaluating NAC tools right now. The tough thing is to pay attention to all these emerging technologies enough to figure out if they are vapor or if there is real substance to it. In most cases, building security in is a great idea. There are times when it makes sense to abstract certain types of security. We are moving away from the niche products and best-of-breed products to suites.
Do you think there is value in building security into an operating system, such as Microsoft has done with Vista?
The concept is good. I don't know that Microsoft has fully achieved that yet. Right now there are definitely security improvements in Vista, but we don't think they are significant enough to compel us to move to Vista.
What does someone in your position learn from public security breaches at companies such as TJX, which compromised customer data?
First recognize bad things happen, and don't be in denial about it. Just because it hasn't happened here doesn't mean it can't happen. We started encrypting all our laptops five, six or seven years ago, and that has saved us on numerous occasions when hardware could have been lost and the data could have gone along with it. The fact that there is a market for identities is enough to scare anybody. And if you got nonpublic, personal information on your systems, you had better expect that it is a target and do whatever you can to protect it from the minute it's entered into the system until the day it's deleted.
Do you feel that IT should be held accountable when such security breaches occur?
It depends. There are times when IT is negligent and times when it is a scapegoat. If you are explaining the issues well enough to your business people and they are not coming forward with the funding to be able to put in the right countermeasures, then I'd say it's the business side's fault. But if you aren't explaining it well enough, then you are asleep at the switch. There's clearly a balancing act in terms of the amount of money and energy you spend on securing anything. You can't spend more than the thing that you are protecting is worth.
What's changed for the better over your 20 years in the industry?
I am very pleased about the way the financial industry has pulled together to help improve our resiliency to threats. There is a lot of great collaboration among industry peers, and there is also a lot of cross industry discussion going on. The criminals are organized, but so are the good guys.
Is it better to share security tactics with competitors or does that put MassMutual at a disadvantage?
Good security can be a positive differentiator, and it can be a competitive edge. But I don't want our peers to be a target. I want their systems to be secure, because if they're not, their systems could be a launch pad or a spreader of the next disruptive virus. We want our peers to be well-protected because it reduces the fallout we suffer from the bad stuff as well. So we don't withhold how we secure our systems from our peer companies to try to maintain an edge. We just try to be better than they are at what we do in business.
Explain some of your responsibilities at MassMutual Financial Group.
I am a vice president and CISO so I have overall responsibility for all aspects of information security for MassMutual and some of our subsidiaries, but not all of them. That runs the gamut from setting policy, developing strategy, conducting awareness and education sessions to maintaining the security infrastructure with things like firewalls, intrusion-detection systems and encryption on servers. I do a lot of monitoring of network traffic for indications of intrusion. Also we monitor our own configuration settings to make sure we comply with our own policies, for instance, on how we harden servers.
How large is your team?
Now we have more than 50 people on the team, and that has almost doubled in the last two years. That growth to a great degree is driven by the growth of the company itself, but also a lot of additional scrutiny from regulators.
What size is your environment?
We have more than 1,000 servers and some 6,000 PCs connected to the network. We have a number of locations in the United States, and our network spans to Asia and Europe. I am in charge of the Springfield campus and Enfield, Conn., location and some of the subsidiaries. Some, like Oppenheimer Funds, are large enough to have their own security team. Still we collaborate and swap best practices and that sort of thing, but they have their own set of policies and I don't dictate to them.
What is involved in setting policies at your organization?
We have a process wherein my management team and other senior members of departments meet on a weekly basis and we talk about technology trends, threat trends and regulatory trends. We think about what sort of policies we might need to enact. As an example, the use of BlackBerries and wireless technology is growing so when new technologies like that come about then we contemplate what types of policies we need to help control it. We develop the policies. We have some attorneys we work with in our law division and we send the policies to them to make sure the policies are going to stand up legally. Then we publish our policies on a quarterly basis so we don't need to interject change on a daily basis so it's a little more orderly. At any given time, we can say during this quarter these are the policies that will be in effect. We send them out to compliance counsel members that represent each of the lines of business in each of the corporate areas so they can tell us whether the policies are ones that their business constituents can live with.
It seems half the battle with IT security is getting users to adhere to policies. How do you handle that?