Business & Finance
04:10 PM
Connect Directly

Cigna's Craig Shumard: One Man's Security Mission

This security chief has his hands full locking down all the personal data that flows through a big benefits provider's operations. We spend a day with him finding out just how he does it.

Craig Shumard, Cigna's chief information protection officer, sits at the head of a polished wood table in a small, sunlit conference room in Cigna's Bloomfield, Conn., office complex. It's 10 a.m. He listens patiently to two of his lieutenants discuss a prospective vendor and then leans forward and inquires in his commanding baritone: "Who are they? What kind of customers do they have? What kind of penetration do they have in the banking or financial services market? That would help us understand the maturity of their product."

Craig Shumard, Chief Information Protection Officer, Cigna

Craig Shumard
Chief Information Protection Officer, Cigna

Photo by James Leynse

view the image gallery
Shumard is relentless when it comes to getting the details he needs to guide the information security operations of the $16.5 billion-a-year employee benefits provider. In this case, he's assessing whether to buy entitlement management software from a new, untested vendor. Entitlement management is the latest rev in access control software, letting employees access only specific parts of an application or fields in a database according to their jobs, titles, and levels of authority. If an employee isn't authorized to see Social Security numbers, he won't see them. This level of granularity may seem like a luxury, but it's not, Shumard says, because it's what Cigna's customers--about 60,000 companies buying insurance and benefits for their employees--are looking for in the security operations of their benefits providers. "Customers' demands are getting more aggressive," he says. "If you can't do entitlement management, you may be turning away or losing business."

Making sure IT security at Cigna is done right from the customer's point of view is Shumard's top priority. He knows full well what can happen if customers' concerns aren't put first. The company's revenue fell 15%, from $19.3 billion in 2002 to last year's $16.5 billion, because of several problems, including a botched $1 billion IT transformation and CRM project. The employees of Cigna's customers had trouble signing up for health coverage, and some temporarily lost coverage. Not a good situa- tion when your market is fiercely competitive.

That backdrop partly explains the 56-year-old Shumard's hyperattention to details. But it's also just the way he is. The entitlement management meeting is the second of eight in a day that started at 9 a.m., when Shumard sat down with Cecil Hudson, Cigna's director of sales effectiveness. The third meeting of the day is to take a final look at a vendor's access management product. Later he'll sit down with Cigna's VP of health care service operations, meet with the heads of Cigna's Diversity Council, and finally review all security-related IT projects. Along the way, Shumard will squeeze in two meetings that are too sensitive for a reporter to attend: a discussion of application access with Cigna's legal counsel and a meeting with the VP of risk management.

InformationWeek Download

This is a typical day for the security chief, focused on locking down Cigna's 9,000 laptops, 22,000 desktop PCs, thousands of applications, and 140 terabytes of stored data generated by its 26,500 employees and the 47 million people worldwide who use its services. But that's not all that's going on, Shumard says. As with entitlement management, most of the rest of his work is driven by customers' concerns about data security and privacy.

"Potential customers typically will ask two, three, four questions specifically about privacy on the RFPs they send Cigna before doing business with us," Shumard says. Talk about nitty-gritty: Questions get down to the lengths of passwords Cigna employees use to access the systems that work with customer data. One of Cigna's customers sent the company an RFP with 536 questions--not all related to information security, thankfully--and spent five days with Cigna management poring over the details of a potential deal.

1 of 4
Comment  | 
Print  | 
More Insights
The Business of Going Digital
The Business of Going Digital
Digital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.