InformationWeek 500: How MassMutual Got Its Security Data Under Control - InformationWeek
Business & Finance
12:30 PM

InformationWeek 500: How MassMutual Got Its Security Data Under Control

Application framework automatically pulls risk and security-related information from various security systems, letting insurer quickly respond to threats while also cutting costs.

With threats proliferating and a steady stream of software vulnerabilities to track, it's only natural that companies want as much information about the security of their IT environments as possible. That's no small task, though, when the information is spread across a dozen applications scattered throughout a company that handles sensitive personal information, and lots of it.

With this in mind, MassMutual, known officially as Massachusetts Mutual Life Insurance, spent the past year and a half making use of an application framework that automates its ability to pull risk and security-related information from a number of different security systems. Automation has let the company more quickly respond to threats while cutting costs associated with finding, assessing, and responding to these dangers. And it helps prioritize, so the company is spending time on the greatest risks.

MassMutual's approach to security is "now based on a more current, holistic picture of the enterprise," CIO Mike Foley says.

With so many risks to evaluate, MassMutual needs to be able to move back-and-forth from the big picture to specific areas of concern. "We need to be able to drill down on specifics, but there are so many things to track that we also need to look at them collectively," says Bruce Bonsall, VP of information security at the financial services company, which had $456 billion in assets under management at the end of last year, and U.S. insurance policy sales of $1.6 billion.

Illustration by Curtis Parker
Illustration by Curtis Parker
Bonsall and his team are charged with protecting MassMutual's main offices in Springfield, Mass., and Enfield, Conn., against intrusions and cyberthreats. With 6,000 employees across those two locations, an equivalent number of PCs, thousands of servers and networking devices, and about 700 applications, that's no small order.

Just as important is the need to protect MassMutual's Web site, which is composed of 7,000 pages and dozens of applications, much of which is available to its more than 12 million individual and business clients looking for information about the dozens of services the company provides. In addition to life, disability, and long-term care insurance, MassMutual offers mutual funds, college savings plans, and other investments. From the Web, investors can track the performance of their investments, transfer funds, and set alerts that inform them of changes. Business owners and benefits administrators rely on the site to manage insurance, retirement, and other benefits they offer employees. Brokers and financial services providers that resell MassMutual's services look to the site for information about marketing and maintaining those services.

As it interacts with all clients and partners, MassMutual collects and retains a lot of sensitive company and personal information. The risks involved with handling that data are something CIO Foley is hyperaware of. "Customer confidence and our reputation in the industry are critical to the continuing success of our business," he says.

As a result, security has garnered more attention within MassMutual, among its clients, and from regulators. "A lot more people care about security than did in the past," Bonsall says. "And a lot of this comes from what customers read about data breaches elsewhere." Potential customers are asking a lot more questions about security, and they can be very specific when submitting requests for proposals, right down to asking MassMutual what kinds of firewalls it uses, he says.

Answers to security questions come from MassMutual's 50-person security group that includes an internal consulting team, which assigns members to projects based on security subject matter experts; a security infrastructure engineering team that supports firewalls, intrusion prevention devices, and other security tools; a security assurance team that analyzes security monitoring data; and a team responsible for identity management.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll