Security 7 award winner Craig Shumard:
There was a time not long ago when very few companies got "it," says Craig Shumard. "It" being the realization...
that information security and risk management are paramount to every enterprise.
"Back in the late 1990s, when we talked to our peer companies, the level of sophistication on risk issues wasn't there," says the CISO of health care and insurance giant CIGNA. "Today, there's really been a lifting of all boats."
Shumard deserves his share of credit for that evolution. After more than a quarter century at CIGNA, the last seven as CISO, the 55-year-old has become perhaps the most outspoken security executive in his industry. In fact, he's not averse to working with competitors to help them grasp why the safety of sensitive data is not to be taken lightly, especially when contractors and business partners are involved.
"One of the things that has always concerned me is the fact that when people look at their business partners, they look at them with different lenses...less diligently," Shumard says. "We have reviewed numerous third parties with serious issues, only to find that they do business with other big-name companies who paid little or no interest to the risk of their data. Having some sort of criteria that's consistent and robust, and getting suppliers and third parties certified, so to speak, would go a long way toward promoting information security in our industry and across industries."
Yet even after recent high-profile data breaches, Shumard says there still are organizations that haven't put measures in place to account for and control access to sensitive data. Worse yet, he says, some still underestimate the threat posed by rogue, trusted users.
In CIGNA's case, the $16.8 billion firm has an extensive list of information security policies, but Shumard says more than half of them can't be fully enforced because user actions can't be properly monitored and controlled. That means relying on its 28,000 employees to follow policy. For many firms, that's where things go wrong.
For instance, Shumard says that like many companies, CIGNA allows employees to decide whether email messages should be encrypted based on the sensitivity of each message. Users are also tasked with encrypting data on removable media, but since it's not an automatic process, it's easy to forget.
Even security vendors don't fully recognize the problem. Shumard says most security products available today focus on external threats, rather than controls and processes to manage trusted users.
Despite those difficulties, CIGNA has been able to mitigate internal and external dangers because employees buy into the importance of security. Shumard says a company-wide program only thrives when it is an ingrained part of the corporate culture. That's why when he helped develop CIGNA's first comprehensive risk profile many years ago, he didn't restrict the process to a select few decision makers.
"When we did our first risk assessment, we had input from more than 250 people, and quite frankly, for many that was the first time they had thought about these issues," he says. "It started the whole process of engaging people, and was the genesis of our strategic road map." Bill Downes, assistant vice president of the information protection organization at The Hartford, has exchanged ideas with Shumard on different technology rollouts and process issues. The Hartford and CIGNA push security responsibilities into lines of business, and the two have been a sounding board for strategies, successes and struggles.
"It's always beneficial to have someone you trust in the industry," Downes says. "A guy like Craig is street smart. He provides feedback and input you could trust."
Looking ahead, Shumard says the pool of information security professionals has never been larger and more talented. The people he hires today, who have often studied information security in college and have seven or eight years of experience in the field, are much more capable than new hires were just a few years ago.
Shumard is quick to emphasize the success of his team, which he says deserves the credit for executing the risk-based program that has kept the company's data safe.
"If I were to retire today," Shumard says, "given the fundamentals we've put in place and the way we've positioned and framed security, I'm very comfortable that the organization would sustain itself and thrive."
This story was originally published by Information Security Magazine, part of the TechTarget network.