InformationWeek 500: How MassMutual Got Its Security Data Under Control - InformationWeek
Business & Finance
12:30 PM
Building Security for the IoT
Nov 09, 2017
In this webcast, experts discuss the most effective approaches to securing Internet-enabled system ...Read More>>

InformationWeek 500: How MassMutual Got Its Security Data Under Control

Application framework automatically pulls risk and security-related information from various security systems, letting insurer quickly respond to threats while also cutting costs.

With threats proliferating and a steady stream of software vulnerabilities to track, it's only natural that companies want as much information about the security of their IT environments as possible. That's no small task, though, when the information is spread across a dozen applications scattered throughout a company that handles sensitive personal information, and lots of it.

With this in mind, MassMutual, known officially as Massachusetts Mutual Life Insurance, spent the past year and a half making use of an application framework that automates its ability to pull risk and security-related information from a number of different security systems. Automation has let the company more quickly respond to threats while cutting costs associated with finding, assessing, and responding to these dangers. And it helps prioritize, so the company is spending time on the greatest risks.

MassMutual's approach to security is "now based on a more current, holistic picture of the enterprise," CIO Mike Foley says.

With so many risks to evaluate, MassMutual needs to be able to move back-and-forth from the big picture to specific areas of concern. "We need to be able to drill down on specifics, but there are so many things to track that we also need to look at them collectively," says Bruce Bonsall, VP of information security at the financial services company, which had $456 billion in assets under management at the end of last year, and U.S. insurance policy sales of $1.6 billion.

Illustration by Curtis Parker
Illustration by Curtis Parker
Bonsall and his team are charged with protecting MassMutual's main offices in Springfield, Mass., and Enfield, Conn., against intrusions and cyberthreats. With 6,000 employees across those two locations, an equivalent number of PCs, thousands of servers and networking devices, and about 700 applications, that's no small order.

Just as important is the need to protect MassMutual's Web site, which is composed of 7,000 pages and dozens of applications, much of which is available to its more than 12 million individual and business clients looking for information about the dozens of services the company provides. In addition to life, disability, and long-term care insurance, MassMutual offers mutual funds, college savings plans, and other investments. From the Web, investors can track the performance of their investments, transfer funds, and set alerts that inform them of changes. Business owners and benefits administrators rely on the site to manage insurance, retirement, and other benefits they offer employees. Brokers and financial services providers that resell MassMutual's services look to the site for information about marketing and maintaining those services.

As it interacts with all clients and partners, MassMutual collects and retains a lot of sensitive company and personal information. The risks involved with handling that data are something CIO Foley is hyperaware of. "Customer confidence and our reputation in the industry are critical to the continuing success of our business," he says.

As a result, security has garnered more attention within MassMutual, among its clients, and from regulators. "A lot more people care about security than did in the past," Bonsall says. "And a lot of this comes from what customers read about data breaches elsewhere." Potential customers are asking a lot more questions about security, and they can be very specific when submitting requests for proposals, right down to asking MassMutual what kinds of firewalls it uses, he says.

Answers to security questions come from MassMutual's 50-person security group that includes an internal consulting team, which assigns members to projects based on security subject matter experts; a security infrastructure engineering team that supports firewalls, intrusion prevention devices, and other security tools; a security assurance team that analyzes security monitoring data; and a team responsible for identity management.

1 of 2
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of IT Report
In today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll