InformationWeek 500: How MassMutual Got Its Security Data Under Control
Application framework automatically pulls risk and security-related information from various security systems, letting insurer quickly respond to threats while also cutting costs.
With threats proliferating and a steady stream of software vulnerabilities to track, it's only natural that companies want as much information about the security of their IT environments as possible. That's no small task, though, when the information is spread across a dozen applications scattered throughout a company that handles sensitive personal information, and lots of it.
With this in mind, MassMutual, known officially as Massachusetts Mutual Life Insurance, spent the past year and a half making use of an application framework that automates its ability to pull risk and security-related information from a number of different security systems. Automation has let the company more quickly respond to threats while cutting costs associated with finding, assessing, and responding to these dangers. And it helps prioritize, so the company is spending time on the greatest risks.
MassMutual's approach to security is "now based on a more current, holistic picture of the enterprise," CIO Mike Foley says.
With so many risks to evaluate, MassMutual needs to be able to move back-and-forth from the big picture to specific areas of concern. "We need to be able to drill down on specifics, but there are so many things to track that we also need to look at them collectively," says Bruce Bonsall, VP of information security at the financial services company, which had $456 billion in assets under management at the end of last year, and U.S. insurance policy sales of $1.6 billion.
Illustration by Curtis Parker
Bonsall and his team are charged with protecting MassMutual's main offices in Springfield, Mass., and Enfield, Conn., against intrusions and cyberthreats. With 6,000 employees across those two locations, an equivalent number of PCs, thousands of servers and networking devices, and about 700 applications, that's no small order.
Just as important is the need to protect MassMutual's Web site, which is composed of 7,000 pages and dozens of applications, much of which is available to its more than 12 million individual and business clients looking for information about the dozens of services the company provides. In addition to life, disability, and long-term care insurance, MassMutual offers mutual funds, college savings plans, and other investments. From the Web, investors can track the performance of their investments, transfer funds, and set alerts that inform them of changes. Business owners and benefits administrators rely on the site to manage insurance, retirement, and other benefits they offer employees. Brokers and financial services providers that resell MassMutual's services look to the site for information about marketing and maintaining those services.
SPOTLIGHT ON SECURITY
As it interacts with all clients and partners, MassMutual collects and retains a lot of sensitive company and personal information. The risks involved with handling that data are something CIO Foley is hyperaware of. "Customer confidence and our reputation in the industry are critical to the continuing success of our business," he says.
As a result, security has garnered more attention within MassMutual, among its clients, and from regulators. "A lot more people care about security than did in the past," Bonsall says. "And a lot of this comes from what customers read about data breaches elsewhere." Potential customers are asking a lot more questions about security, and they can be very specific when submitting requests for proposals, right down to asking MassMutual what kinds of firewalls it uses, he says.
Answers to security questions come from MassMutual's 50-person security group that includes an internal consulting team, which assigns members to projects based on security subject matter experts; a security infrastructure engineering team that supports firewalls, intrusion prevention devices, and other security tools; a security assurance team that analyzes security monitoring data; and a team responsible for identity management.
The Business of Going DigitalDigital business isn't about changing code; it's about changing what legacy sales, distribution, customer service, and product groups do in the new digital age. It's about bringing big data analytics, mobile, social, marketing automation, cloud computing, and the app economy together to launch new products and services. We're seeing new titles in this digital revolution, new responsibilities, new business models, and major shifts in technology spending.