Much is made of the need for security professionals to improve communications with business executives, but insurance giant Insurance Australia Group (IAG) has dealt with a different challenge after a formal security council was recently established to co-ordinate security responses between the company’s five different CIOs.
With IT security delivered on a shared-services basis across IAG, the establishment of a security working group was a natural step to ensuring those services were meeting the needs of each business unit, Ian Cameron, chief security engineer with IAG, said during a panel discussion at the recent IBM Pulse service management conference.
“With five different business units and five CIOs, there are lots of competing forces, different rates of velocities of change, and different business imperatives,” explained Cameron, who chairs the monthly meetings to present updates on the effectiveness of existing security controls, and to plan future security initiatives around emerging business imperatives.
“We work in really dynamic business environments, and the risks are changing all the time. We use the security council as a forum for presenting business cases for approval, for investments or for investment in adding to our security capabilities. We’re moving from worrying about patching apps, and moving up the stack to the business. It’s all about focusing on the preventive or proactive controls that are really just considered best practice; we are getting back to basics.”
Putting this form of cross-silo governance into action has helped improve co-ordination of security efforts across the company’s massive operations, ensuring that the security team spends less time dealing with individual business units’ idiosyncrasies and more time exploring the potential of technologies such as identity and access management (IAM).
IAM is particularly relevant for IAG because its security profile includes the management of systems access by 50,000 brokers and other third parties.
“Like others, our organisation is moving beyond the perimeter,” Cameron said. “Historically we worried about access for the staff – but now we’re dealing with a lot of business partners and suppliers, and managing access for external parties as well.”
Another key area of focus is improving the reporting of security-related metrics, with a monthly reporting scorecard that highlights “not all risk, but a collection of higher or more critical areas of concern,” he added, with additional reports on security incidents that did actually occur.
“We map out our progress in actually reducing the risk down to acceptable residual risk levels,” Cameron explained. “It’s all about making them real, and helping the business understand that the security investment we’ve made is actually delivering a return – not in terms of cost savings, but rather a return in ensuring the safety of the organisation.”