Compass Awards
Fleury: Shoring Up Internal Defenses
CSO Compass Award winner Lynda Fleury, CISO with insurance company Unum, thinks companies should look inward to strengthen information security's weakest link
By Joan Goodchild, Senior Editor
DLP is just one of those tools that can help us have insight into what is going on with the data. Where is the data flowing? How are employees using it? We've spent a lot of years shoring up our external facing environment. Now the trend to focus on is the insider threat.
You mentioned many clients now ask about their data. Are customers savvier now about the protection of their information?
Yes. My team responds to anywhere from 50-75 customer RFPs a year. This could be potential new customers seeking to buy Unum product. It could be existing customers renewing their business. Other customers, like every one else, are saying 'Hey, wait a minute. We need to be concerned with the data we are giving to service providers.'
It is not uncommon for us to have existing customers require us to fill out an information security privacy risk assessment. Inevitably every one of those RFPS, every one of those questionnaires, every one of those self-audits asks: 'What are the technologies you are using to protect the data we are entrusting to you?' DLP is mentioned nine times out of ten.
How important has staff education been to your DLP plan?
Very important. The challenge for any information security program today is the insider. It's the employee, it's the contractor, whether intentionally or unintentionally, mishandling information. The insider is the weakest link.
It continues to be a challenge. How do you measure the effectiveness of all of your policies and procedures? How do you ensure and measure compliance? I think data loss prevention is one of those technologies that can help us figure out what is going on and where we might have some weak links in our awareness program or in our policies.
How do you see the threat landscape these days when it comes to cybercrime?
The threat landscape changes every day. The things we see a lot of now are the hacks, the cyber threats, the social engineering, that seem to come in under the radar. We've done a phenomenal job with our attack and pen vulnerability management. We test with a third party every year. We monitor every day. We are always finding the big things. It's the little things and the after the fact that makes us think: 'Wait a minute. Seems like we've got this PC, or this asset on the wire, that is sending out SMTP traffic. Why?'
So we are looking at some threat, vulnerability, and incident correlations to help us get more proactive. My team has done a great job keeping things at bay. But I don't think the threat is going away.
Linda Fleury
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
- Upgrading to VMware vSphere with vWire
- Removing Barriers To Better Server Virtualization Efficiency
- Practical Approaches for Securing Web Applications across the Software Delivery Lifecycle
- Staying A Step Ahead of the Hackers: The Importance of Identifying Critical Web Application Vulnerabilities
- Managing A Growing Threat: An Executive's Guide to Web Application Security
- The Forrester Wave™: Web Filtering, Q2 2009
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
