InformationWeek 500: How MassMutual Got Its Security Data Under Control
Application framework automatically pulls risk and security-related information from various security systems, letting insurer quickly respond to threats while also cutting costs.
With threats proliferating and a steady stream of software vulnerabilities to track, it's only natural that companies want as much information about the security of their IT environments as possible. That's no small task, though, when the information is spread across a dozen applications scattered throughout a company that handles sensitive personal information, and lots of it.
With this in mind, MassMutual, known officially as Massachusetts Mutual Life Insurance, spent the past year and a half making use of an application framework that automates its ability to pull risk and security-related information from a number of different security systems. Automation has let the company more quickly respond to threats while cutting costs associated with finding, assessing, and responding to these dangers. And it helps prioritize, so the company is spending time on the greatest risks.
MassMutual's approach to security is "now based on a more current, holistic picture of the enterprise," CIO Mike Foley says.
With so many risks to evaluate, MassMutual needs to be able to move back-and-forth from the big picture to specific areas of concern. "We need to be able to drill down on specifics, but there are so many things to track that we also need to look at them collectively," says Bruce Bonsall, VP of information security at the financial services company, which had $456 billion in assets under management at the end of last year, and U.S. insurance policy sales of $1.6 billion.
Illustration by Curtis Parker
Bonsall and his team are charged with protecting MassMutual's main offices in Springfield, Mass., and Enfield, Conn., against intrusions and cyberthreats. With 6,000 employees across those two locations, an equivalent number of PCs, thousands of servers and networking devices, and about 700 applications, that's no small order.
Just as important is the need to protect MassMutual's Web site, which is composed of 7,000 pages and dozens of applications, much of which is available to its more than 12 million individual and business clients looking for information about the dozens of services the company provides. In addition to life, disability, and long-term care insurance, MassMutual offers mutual funds, college savings plans, and other investments. From the Web, investors can track the performance of their investments, transfer funds, and set alerts that inform them of changes. Business owners and benefits administrators rely on the site to manage insurance, retirement, and other benefits they offer employees. Brokers and financial services providers that resell MassMutual's services look to the site for information about marketing and maintaining those services.
SPOTLIGHT ON SECURITY
As it interacts with all clients and partners, MassMutual collects and retains a lot of sensitive company and personal information. The risks involved with handling that data are something CIO Foley is hyperaware of. "Customer confidence and our reputation in the industry are critical to the continuing success of our business," he says.
As a result, security has garnered more attention within MassMutual, among its clients, and from regulators. "A lot more people care about security than did in the past," Bonsall says. "And a lot of this comes from what customers read about data breaches elsewhere." Potential customers are asking a lot more questions about security, and they can be very specific when submitting requests for proposals, right down to asking MassMutual what kinds of firewalls it uses, he says.
Answers to security questions come from MassMutual's 50-person security group that includes an internal consulting team, which assigns members to projects based on security subject matter experts; a security infrastructure engineering team that supports firewalls, intrusion prevention devices, and other security tools; a security assurance team that analyzes security monitoring data; and a team responsible for identity management.
IT's Reputation: What the Data SaysInformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business really views IT's performance in delivering services - and, more important, powering innovation. Our results suggest IT leaders should worry less about whether they're getting enough resources and more about the relationships they have with business unit peers.
What The Business Really Thinks Of IT: 3 Hard TruthsThey say perception is reality. If so, many in-house IT departments have reason to worry. InformationWeek's IT Perception Survey seeks to quantify how IT thinks it's doing versus how the business views IT's performance in delivering services - and, more important, powering innovation. The news isn't great.
InformationWeek Must Reads Oct. 21, 2014InformationWeek's new Must Reads is a compendium of our best recent coverage of digital strategy. Learn why you should learn to embrace DevOps, how to avoid roadblocks for digital projects, what the five steps to API management are, and more.