Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Defending the rock: Prudential's security culture and change control management

Cover story: Prudential's ingrained security culture and change control management makes it a security program worth emulating.

This article can also be found in the Premium Editorial Download: Information Security: Chain of command: Inside Prudential's security management program

Kenneth Tyminski knew he had a problem when Microsoft announced the DCOM-RPC vulnerability in July '03.

As the CISO of Prudential Financial, he had thousands of vulnerable Windows workstations and servers, and it was only a matter of time before a worm began burrowing through the Internet.

Prudential Financial's enterprise information security management staff
Left to Right: Joyce R. Leibowitz, Senior VP, Corporate Operations and Systems; William Friel, Chief Information Officer; Kenneth Tyminski, Chief Information Security Officer; Mary Rose Freddo, Business Security Officer, Insurance Division; Charlene Bowie, Information Systems Manager; Amy Tomea, Process Management Analyst

For many large enterprises, Tyminski's task would be overwhelming. But, within a week, Tyminski's staff issued corporate-wide vulnerability advisories, tested the patch and repaired nearly 90% of the affected machines.

Prudential was virtually shielded from a devastating infection long before the Blaster worm hit. What enabled that quick response was a fine-tuned command and control strategy, in which everyone -- from the CEO to the newly hired administrative assistant -- embraces his or her security role and responsibility.

"It's about managing the business, not having the best security products on the market," says Tyminski. "Develop the right process, make sure it's what you need to be secure and that end users have the tools to do it."

This is not sexy stuff. It's policy, procedures and standards that enable the company to effectively respond to ongoing and emerging security threats.

Prudential is emblematic of a large enterprise that gets security. It has no choice. Ranked 57 on the Fortune 500, Prudential is an international conglomerate of financial services ranging from insurance and banking to asset management and real estate--which make it subject to a growing list of government regulations. The Newark, N.J.-based firm has nearly $425 billion in assets under management and generates more than $27 billion in annual revenue, which makes it a prime hacker target.

It's about managing the business, not having the best security products on the market.

Kenneth Tyminski, CISO, Prudential Financial

Prudential's massive IT infrastructure is the engine that drives business. Data -- more than 150 terabytes a day -- is the fuel. Security is the armor that ensures the confidentiality, integrity and availability of that engine.

Over the last four years, Prudential has ingrained security in every aspect of its corporate culture. It has transformed the perception of security being "someone else's problem" to everyone's responsibility. It has established lines of communication, awareness and education programs, developed mature policies and procedures, and defined clear roles and responsibilities throughout the corporate hierarchy.

In short, Prudential has institutionalized the "Confidentiality-Integrity-Availability" security mantra in a manner that would make similar organizations envious. While different environments will have unique security requirements, the Prudential model is worth studying and emulating.

Pivot point: The CISO
All security roads at Prudential lead to Kenneth Tyminski, the company's first CISO.

In 1998, Tyminski was handpicked to create a centralized, corporate-wide security program. He was given the authority to create and enforce policies across Prudential's various business divisions and various sub-divisions.

Tyminski's first action: Dismantling the security operations center.

"It didn't belong in a separate group," he recalls. "I moved it to the operations control center, which now includes the network and security. You now see the people in network operations watching the IDS. It was a real big hit with my staff, because they didn't stay up at night. The guys in networking knew how to handle an alert."

Dismantling a SOC is heresy among conventional security practitioners. But Tyminski isn't a conventional CISO. He's representative of a new breed of security executives, who come from business backgrounds and blend business thinking with security objectives.

In his 30-year career, Tyminski has held a number of IT and business positions -- operations, research projects, IT engineering and maintenance. With 18 different assignments under his belt, Tyminski's been around Prudential and understands the company's philosophy, culture and needs.

We understand the risk, and tailor the policy to address that risk.... It's not one size fits all.

Joyce R. Leibowitz, Senior VP, Corporate Operations and Systems, Prudential Financial

"We're operating a business, and there's always going to be risk associated with doing business, so we should be looking to minimize that risk," he says.

Risk management, or failure to measure risk and apply appropriate security, is the folly of many unsuccessful security programs. Entrenched infosecurity technologists have approached security from the perspective of "deny everything" and throw more technology (read: money) at threats and risks. The result is often the perception of security being an expensive inhibitor to business operations -- especially new IT-based ventures.

Prudential isn't throwing money at infosecurity. Rather it's practicing thoughtful risk management, which produces appropriate security protections with a reasonable impact on business functions.

Instilling security responsibility in individuals is how Tyminski and his team have made security a top priority. After four years of beating the security drum, he's seen a sea change in people's attitudes.

"When I used to ask [end users] who was accountable for security, they would say the information security officers," says Tyminski. "Today, you ask that question, and they'll all raise their hands."

Support for Tyminski's security program comes straight from the top. Given the myriad threats, Prudential's senior executives view security as an investment for ensuring business.

The most vexing thing is the number of vulnerabilities in the software we use.

William Friel, CIO, Prudential Financial

Granting authority
Increasingly, security isn't just a necessity for business operations, but a statutory requirement.

Prudential is hit with a multiple regulatory whammies. It falls under the security requirements of Gramm-Leach-Bliley for financial services, HIPAA for health care information, and Sarbanes-Oxley for corporate accounting and data integrity. Overseas, it's subject to the European Data Privacy Directive. And, because of its West Coast operations, it's governed by California's Security Breach Information Act.

"We have strong support for compliance with these emerging rules and regulations," says Joyce R. Leibowitz, senior VP of corporate operations and systems. "A good, strong security program is the way we want to do business, and it provides the foundation for doing the right thing for our employees and our customers."

Leibowitz shares oversight of Prudential IT and physical security programs and strategy with CIO William Friel. She is responsible for policy and processes, where Friel takes technology and solutions. Tyminski reports to both.

A former schoolteacher who worked her way up the Prudential corporate ladder over the last 35 years, Leibowitz repeats the mantra heard throughout the security organization, "Awareness, awareness, awareness." Several steps removed from the operational level, she speaks incisively about the need for individuals knowing the importance of protecting data and having a stake in the security process.

"Yes, we have compliance from our end users because of our well-established security community," she says. "There's a clear message from the top about the importance of protecting information, the importance of complying with company policy, and I believe we're reasonable."

In any organization, policies dictated by the corporate office are meaningless unless they have consequences for failure. Prudential avoids the mistake made by countless other enterprises by empowering the security organization from the top. The executive level concerns itself with setting the agenda and monitoring effectiveness, the middle layer -- Tyminski's CISO office -- develops the tactical policies and procedures, and the operational-level implementations. There's clear delegation of duties and authority up and down the chain.

When you don't have top-down support, you lose your leverage for getting things done.

Mary Rose Freddo, Business Security Officer, Prudential Financial

Procedures, and the people who implement them are crucial, since technology can't guarantee security. "Security is a process, not a product," is an adage well known to Friel.

"Can we ever be 100% protected? No, it's an offense/defense," says Friel, who became Prudential's first CIO in 1988.

A former NSA analyst and career IT executive, Friel has the appearance of General Patton and the demeanor of an elder statesman. Effortlessly, he speaks of the vastness of Prudential's infrastructure -- 70,000 attached systems, 20,000 remote systems, 4,500 servers, two large mainframe data centers and hundreds of commercial and proprietary business applications.

In turn, Friel recounts the endless number of threats, new worms, faulty code filled with vulnerabilities, hackers and cyberterrorists and malicious insiders. A breach by any one of these vectors could expose precious data, cost millions of dollars in recovery and downtime, and expose the company to any number of civil and criminal charges.

"The most vexing thing is the number of vulnerabilities in the software we use," he says. "A vulnerability is announced, it's addressed and, three weeks later, there's another vulnerability. We need to do a much better job in the IT industry in providing better security."

Securing the infrastructure, he says, is impossible without delegating responsibility down the chain to those closer to the front lines. Equally critical is communicating the importance of security to everyone in the organization.

"It's a question of making sure the people in the organization recognize that there's good reasons for security policies, and that it's not just bureaucrats trying to impose rules and regulations," Friel says.

In Prudential's three divisions -- Insurance, Investment, and International Insurance and Investments -- the job of implementing and enforcing security mandates falls to the security directors -- also known as business security officers, or BSOs.

Tough balancing act
In Prudential's insurance division, Mary Rose Freddo is the law.

As the BSO, Freddo is armed with the authority granted by senior management and the unwavering support of the CISO's office to implement corporate security policies and enforce compliance.

"They've given me the authority to do what I need to do to get the job done," says Freddo. "That's a good thing, it cuts out the bureaucratic red tape. If they didn't give me the ability to do that with the appropriate authority, then they would have tied my hands."

Authority is precisely what Freddo needs to manage security for the insurance division, which represents $32.9 billion of Prudential's portfolio. Like most mid-level infosecurity managers, she has to bridge the difficult gulf between the strategic initiatives of the executive suite and the turbulent waters of task-oriented operations.

"When you don't have top-down support, you lose your leverage for getting things done when they need to get done," she explains. "It's not unique to security; any position would have that problem."

A no-nonsense woman who rose through the Prudential operational and IT ranks, Freddo wears many hats. She's an executive who implements policy. An unapologetic arbitrator who ensures policy compliance. A diplomat who resolves security and operations disputes. An educator of security's importance. And a diligent, in-the-trenches taskmaster who directs ongoing operational issues, such as controlling access privileges and responding to the latest malware outbreaks.

"You have to have a level of strategic ability in this role to make sure you're looking at the big picture and positioning yourself to be ready for anything that comes from a big-picture perspective," says Freddo.

Freddo's world isn't unique to infosecurity managers. They are often caught in the confluence of strategic visions and daily security duties. In large enterprises, the biggest challenge is staying on top of the changing environment, assessing resources and assets, and ensuring proper protections are applied.

No matter what application it is, we have to sign off on it. We have to make sure it meets our security control standards.

Charlene Bowie, Information Systems Manager, Prudential Financial

Freddo has no illusions that she and her team are ahead of the security curve. Rather, like most in her position, she admits they're constantly fighting to keep pace with emerging threats. One of the things Prudential does to keep pace with its security challenges is structured change control.

Controlling change
Nothing goes on Prudential's network without a security review and the security department's signoff. And the first line of compliance checking in the Insurance division is Charlene Bowie.

"No matter what application it is, we have to sign off on it. We have to make sure it meets our security control standards," says Bowie, an information systems manager and a member of Freddo's staff.

Security has a prominent seat at the application development and network management table. It's one of the first and last steps in the development process or purchasing cycle.

At this level, security reviewers like Bowie are acutely aware of the value of the data and assets they're protecting. The entire assessment system is based on data value. Security ratings are based on a variety of factors, including the data they'll be processing, their location in the corporate IT infrastructure, the applicability of security regulations such as GLBA or HIPAA, and the existing protections that will surround them. It's a somewhat subjective system, but one that ensures that applications have security that corresponds to their level of risk.

"Of course, the higher the risk, we focus on those applications first to make sure they're in compliance with our standards," says Bowie. "As the risk gets lower, our concern decreases."

Stringent change control guards the network, but flexibility is what guards against security becoming a business inhibitor. For instance, waivers can be granted to critical applications, giving developers time to meet the security standards while applications are being pushed into production. And adequate time is taken to elevate the security posture of assets obtained through mergers and acquisitions.

"We understand the risk, and tailor the policy to address that risk. That's how you get more cooperation and buy-in," says senior VP Leibowitz. "It's not one size fits all."

But how much clout does infosecurity have? Can infosecurity delay or veto a development project that could generate millions in revenue? Absolutely.

Most infosecurity managers would kill for the authority and management support Prudential's security team has in business initiatives. In one instance, CISO Tyminski's team delayed the deployment of a new application that would have saved Prudential millions in operation costs. While there was a little angst among the application's owners, corporate executives had no problem with the action.

"We don't get resistance from the business people or the vice chairman when I meet with them; they're very supportive," says Tyminski. "All of them recognize the nature of the business, and that security comes along with it."

That understanding comes from the ingrained security culture Prudential has diligently cultivated through an intensive, ongoing awareness program.

Cultural awareness
Hanging on the wall of Prudential's Information Services office is a simple letter-sized poster of dirty laundry strewn over furniture. The message: "You wouldn't leave your underwear lying around, so why would you treat your password that way?"

The poster is just one of the numerous reminders of the premium Prudential has placed on security.

Security -- IT and physical -- is visible everywhere at Prudential. RFID-enabled turnstiles control building access, employees are required to wear clearly visible ID badges, customized Post-it notes remind workers to guard their passwords, and the company's daily newspaper regularly includes security tips and policy notices.

"Just doing things like that -- walking the walk -- lets employees know it's important to do it," says senior VP Leibowitz.

This month, Prudential's Shared Services division is holding its annual security awareness day. The theme: "Secure and protect, don't forget." The event will feature game show-like competitions and other fun activities that reinforce dry, sometimes confusing security policies.

"It really allows us to get our message out there," explains Amy Tomea, a process management analyst who heads up the Shared Services' awareness program.

A former administrative assistant to the CISO turned security evangelist, Tomea understands the corporate position on security. When she's not dreaming up the next security awareness campaign, she's triaging employee security inquiries or reviewing logs for enforcement action. In every instance, she works with employees to make sure they understand the importance of policy compliance.

"Sometimes it's difficult to get the message across," Tomea says. "By making security fun, it's much easier."

Security awareness costs money, but it's money well spent in Prudential's estimation. The goal is more of a religious conversion. The company offers employees seminars on identity theft and safe Web surfing. It also provides free AV software for employees' home computers, as well as security support services. The idea is simple: If employees understand the value of data on their home computers, they'll have greater appreciation for Prudential's data.

"People here will tell you that infosecurity is part of every employees' job," says Leibowitz. "I don't believe we can secure information without first getting every employee involved and responsible for security."

Compliance is compulsory. Since Prudential's management is committed to fostering a security culture, end users and unit managers haven't been given much choice in accepting security.

"The company takes security very seriously. You see it on the physical side and the IT side," says CISO Tyminski. "If you break a security rule around here, and you didn't know about the policy, we're tolerant. If you break it twice, we're not very tolerant."

Accepting risk
Prudential isn't an infosecurity spendthrift, and security isn't done for security's sake. Rather, the infosecurity management team exercises business logic when developing and implementing infosecurity policies. Then, it applies appropriate levels of protection.

"We approach it from a business risk, not that we need $10 million to address this problem," says Tyminski. "We have a business problem and there's a business risk."

Sometimes it's difficult to get the message across. By making security fun, it's much easier.

Amy Tomea, Process Management Analyst, Prudential Financial

At risk are a 128-year-old brand that's recognized around the world, the confidence of 15 million customers and 54,000 employees, and billions of dollars in retirement funds, pension plans, and life and casualty insurance accounts. Guarding that is a jealous, ceaseless exercise.

"There's no appetite for failure," says senior VP Leibowitz.

What makes Prudential worthy of emulation is its culture. The corporation embraces security as a means for doing business, and there's good reason -- Prudential's business is about risk. It accepts others' risk by underwriting business ventures against disasters, accidents and legal liabilities. And it assumes risk in its institutional investments and brokerage services.

Security of its data is a means of mitigating the risk to its operations. The security team does what it can -- what's required -- to effectively prevent a breach or data leakage. Still, despite all of the policies, procedures and safeguards, there's a healthy acceptance that nothing is foolproof.

"There's a reality that has to be accepted and understood that bad people do bad things," says BSO Freddo. "You have to take all the steps necessary to protect yourself and your data. You just have to do the absolute best that you can to protect the environment."

This was last published in October 2003

Dig Deeper on Information security policies, procedures and guidelines