Do not envy Mark Odiorne. As the CISO at Scottish Re, a reinsurance concern with more than $12 billion in assets, Odiorne is the only full-time security practitioner on staff. In addition to fighting malware and other threats, he also has responsibility for much of the company's compliance efforts, which are substantial. Odiorne gave us his insights on attacking your own network, prioritizing security for senior management and the joys of compliance.
What led you to look for a penetration testing tool in the first place? That's not on everyone's shopping list.
Odiorne: We had a security provider that didn't work for us a couple of years back. We had a couple of Internet points of presence, a few data centers and one of the things they would do was a vulnerability assessment of that, but not a full-on pen test by any stretch. So we would get their reports and they were using some of the same tools we were at the time. It wasn't telling us if we were really vulnerable or not. So we would take that report and then every month I would have to report back. A couple times of year they would do the same thing from the inside. We would also periodically have our outside auditors come and do a full-on pen test. We were spending a good amount of time addressing what they were letting us know about and then basically having to prove that we were protected or we were not, based on that information. So I got introduced to the Core product and started testing it and it ended up being pretty valuable information. This particular tool gave us the opportunity to do it full on. Anytime we make a change, we don't have to wait till the end of the month for the outside guys to do a test and tell us how we're doing. We've saved a lot of time. I can talk to management and say, this is where we have a problem and we need to address it.
As a public company, you have some compliance requirements to meet. What are the ones that take up the most time for you?
Odiorne: Sarbanes is probably the biggest focus. Gramm-Leach, because we're a financial services company as well. We regularly get audited by states. What we have found is because we used the ISO standard to build our security model, whether it's Gramm-Leach or Sarbanes or something else, we can pretty much track anything they're looking at to that model. When the company was still young and we were preparing for the first couple of Sarbanes audits, we were constantly being asked by businesses, hey we need this, we need this server, this connectivity. So we were constantly writing policies on the fly. So every year, when the auditors would come back in, we had a lot of new processes in place and they had some testing to do. That's also why we've made information security more of a priority and has some more resources applied to it. When I got here five years ago, the company really didn't have business continuity and disaster recovery programs at all.
What are the challenges you think will take will take up a lot of your time in 2007?
Odiorne: Business continuity, disaster recovery are our new focuses. One of the big focuses for senior management is let's make sure our data, whether it's in motion or it's at rest it's protected. We've been buried in our Denver office by snowstorms and that sort of thing, our Cayman office nearly got blown off the map by Hurricane Ivan and our Bermuda office got the same thing. So we've really got a big push to make sure that data is available 24 by seven around the world. We're making sure that our data is replicated in several places around the world. Another challenge for us is that our company is very mobile, We have a lot more laptops than desktops and people travel quite a bit. Protecting those assets is a big deal for us. We see a good bit of virus attacks and malware and we keep seeing the threats change somewhat as the bad guys are more motivated by making money off this somehow. So we see a lot more technology, a lot more money behind the efforts. There's a reputation component in that for us. We don't want to be known as the company that got hit.
How much of the responsibility for the disaster recovery plan falls on you and how much is on the storage folks?
Odiorne: It's actually probably now more on the storage side. But it all kinds of falls under security, to ensure that everything is secure, is backed up, is tested. We're conscious of the fact of not opening ourselves up internally, making sure that the right eyes are looking at it. Scottish does a lot of work with the data that we get from our clients to turn it around and make it back available to them. No matter where that data is, we have to make sure that it's protected and only the right eyes are seeing it.