Security metrics inform cross-unit IT-business collaboration: IAG CSO

Much is made of the need for security professionals to improve communications with business executives, but insurance giant Insurance Australia Group (IAG) has dealt with a different challenge after a formal security council was recently established to co-ordinate security responses between the company’s five different CIOs.

With IT security delivered on a shared-services basis across IAG, the establishment of a security working group was a natural step to ensuring those services were meeting the needs of each business unit, Ian Cameron, chief security engineer with IAG, said during a panel discussion at the recent IBM Pulse service management conference.

“With five different business units and five CIOs, there are lots of competing forces, different rates of velocities of change, and different business imperatives,” explained Cameron, who chairs the monthly meetings to present updates on the effectiveness of existing security controls, and to plan future security initiatives around emerging business imperatives.

“We work in really dynamic business environments, and the risks are changing all the time. We use the security council as a forum for presenting business cases for approval, for investments or for investment in adding to our security capabilities. We’re moving from worrying about patching apps, and moving up the stack to the business. It’s all about focusing on the preventive or proactive controls that are really just considered best practice; we are getting back to basics.”

Putting this form of cross-silo governance into action has helped improve co-ordination of security efforts across the company’s massive operations, ensuring that the security team spends less time dealing with individual business units’ idiosyncrasies and more time exploring the potential of technologies such as identity and access management (IAM).

IAM is particularly relevant for IAG because its security profile includes the management of systems access by 50,000 brokers and other third parties.

“Like others, our organisation is moving beyond the perimeter,” Cameron said. “Historically we worried about access for the staff – but now we’re dealing with a lot of business partners and suppliers, and managing access for external parties as well.”

Another key area of focus is improving the reporting of security-related metrics, with a monthly reporting scorecard that highlights “not all risk, but a collection of higher or more critical areas of concern,” he added, with additional reports on security incidents that did actually occur.

“We map out our progress in actually reducing the risk down to acceptable residual risk levels,” Cameron explained. “It’s all about making them real, and helping the business understand that the security investment we’ve made is actually delivering a return – not in terms of cost savings, but rather a return in ensuring the safety of the organisation.”

Follow @CSO_Australia and sign up to the CSO Australia newsletter.

Join the CSO newsletter!

Error: Please check your email address.

Tags managementsecurityInsurance Australia Group (IAG)

More about CSOIBM Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by David Braue

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts