Fleury: Shoring Up Internal Defenses

Things have changed quite a bit since the early days of Lynda Fleury’s career. She remembers when the IBM 8086 running MS-DOS was hot technology. Fleury, who has almost three decades of experience in infosec, was recently named a Compass Award winner by CSO. The CISO with Tennessee-based insurance company Unum sat down with Senior Editor Joan Goodchild to discuss her thoughts on the challenges facing information security today.

CSO: How do you make the case for security as a business driver in these tough economic times?Lynda Fleury: It’s a challenge. Especially where the company is going through some economic challenges and wants to keep our budget flat. We strive to secure our initiatives with the business. Everything we are doing in 2009 is in alignment with our critical success factors. Two of those are extended availability along with quality.

There are some things we are looking at this year that we have put off in past years, such as event correlation. We are looking to invest in event correlation to streamline internal processes and reduce the need for a headcount increase. The goal is to make things a little more effective and efficient.

We are also looking at data loss protection as a way to align with our business strategy around protecting information that has been entrusted to us by our customers. One of the key things customers are always asking about is data loss prevention.

Obviously there is a list of things I would like beyond that. If my CTO or CIO came to me and said ‘You’ve got five million dollars to spend this year,’ I would know exactly what I want to spend it on. But being a good corporate citizen means realizing that everybody is facing challenges right now. I dont want to ride the coattails of risk anymore and Sarbanes-Oxley. I’m seeking to do things that are meaningful to the quality of our program around information security and protecting out critical assets.

Is DLP the big priority now for security?

I think it is. There are a couple of factors. There seems to be a slowdown in the swirl around acquisition of boutique products. So you have some of the big players investing in that technology to round out their total security suite of tools. I think the other thing is it is becoming a liability not to have DLP. And for us, it’s more around how do you measure compliance with your existing policies and procedures around data protection and information privacy.

DLP is just one of those tools that can help us have insight into what is going on with the data. Where is the data flowing? How are employees using it? We’ve spent a lot of years shoring up our external facing environment. Now the trend to focus on is the insider threat.

You mentioned many clients now ask about their data. Are customers savvier now about the protection of their information?

Yes. My team responds to anywhere from 50-75 customer RFPs a year. This could be potential new customers seeking to buy Unum product. It could be existing customers renewing their business. Other customers, like every one else, are saying ‘Hey, wait a minute. We need to be concerned with the data we are giving to service providers.’

It is not uncommon for us to have existing customers require us to fill out an information security privacy risk assessment. Inevitably every one of those RFPS, every one of those questionnaires, every one of those self-audits asks: ‘What are the technologies you are using to protect the data we are entrusting to you?’ DLP is mentioned nine times out of ten.

How important has staff education been to your DLP plan?

Very important. The challenge for any information security program today is the insider. It’s the employee, it’s the contractor, whether intentionally or unintentionally, mishandling information. The insider is the weakest link.

It continues to be a challenge. How do you measure the effectiveness of all of your policies and procedures? How do you ensure and measure compliance? I think data loss prevention is one of those technologies that can help us figure out what is going on and where we might have some weak links in our awareness program or in our policies.

How do you see the threat landscape these days when it comes to cybercrime?

The threat landscape changes every day. The things we see a lot of now are the hacks, the cyber threats, the social engineering, that seem to come in under the radar. We’ve done a phenomenal job with our attack and pen vulnerability management. We test with a third party every year. We monitor every day. We are always finding the big things. It’s the little things and the after the fact that makes us think: ‘Wait a minute. Seems like we’ve got this PC, or this asset on the wire, that is sending out SMTP traffic. Why?’

So we are looking at some threat, vulnerability, and incident correlations to help us get more proactive. My team has done a great job keeping things at bay. But I don’t think the threat is going away.

Back to the issue of staff education. Have you worked with employees to educate them about potential network threats?

We have a lot of experience on our team. There is probably collectively 40-50 years of total network experience. What we are doing now is taking what we are learning from the attacks we see, the threats we see, and turning it into knowledge. We are educating our IT professionals, especially our developers who are out there surfing the web looking for code samples. The idea is to be able to say ‘Hey, here is what happens when you download something from certain sites. Here is a safe way to search for things you are searching for in your daily job.’

Our efforts are really focusing on digging deeper and getting beyond the typical awareness training. Now we are getting it into the hands of the end user.