News Stay informed about the latest enterprise technology news and product updates.

A CISO's lessons in building a security plan

The man in charge of information security at a Massachusetts insurance company explains how he built up the company's IT defenses from the top down.

You know you've got a security problem but you don't have the budget to engage a consulting firm for a comprehensive security audit. What's an IT security pro to do?

In the case of Hanover Insurance Group, a $3 billion property and casualty insurer, the answer was to get creative. Jeff Bardin, newly hired as CISO at Hanover in late 2004, went to the library of publicly available assessment tools and used the RFP process creatively to assemble a comprehensive list of vulnerabilities. His team then used that data to alert top management to the risks and to attack holes methodically, beginning with the low-cost/high-benefit options and working down.

Bardin, a former CIO, faced numerous security shortcomings when he arrived on the scene. Encryption use was spotty, peer-to-peer software use was potentially exposing proprietary data to outsiders and one employee was even buying and selling guns over the company's Internet connection.

Bardin and his team kicked off a top-to-bottom assessment of the security landscape using proven and freely available tools. The IT staff filled out a National Institute of Standards 800-26 Assessment questionnaire that had been downloaded and modified with terms borrowed from the Capability Maturity Model (CMM), a widely used software best practices benchmark. "I knew the IT staff would understand the questions because Hanover was already a CMM Level 3 shop," Bardin said. The results helped identify deficiencies in IT practices and processes.

Helpful hints

The key to raising awareness of information security in an organization is to communicate up, said Jeff Bardin, CISO at Hanover Insurance Group. Here are a few of his tips.

  • Seek out a trusted sponsor who knows how key managers will react to your message
  • Align your security priorities with business objectives so you tackle the big payoff problems first
  • Make sure you know how much the project will cost
  • Know top management's priorities and make them your priorities
  • Share data beforehand so there are no surprises
  • Know what the competition is doing and don't attack projects that are too far out of line with the market's thinking
  • The IT organization evaluated itself against the IT Infrastructure Library (ITIL) and Information Technology Service Management standards for service level performance. And Bardin started teaching mini-sessions on the ISO 17799 security standard. The objective was to attack the problem of data leakage. "I knew that if you have strong IT operating standards your security is going to be much better," Bardin said.

    While the best practices education we going on, Hanover's seven-person security staff conducted a comprehensive audit. "We turned over everything, scanned everything, did physical walkthroughs, even sat in CEO's chair at night," Bardin told an audience of IT managers at the Babson College Center for Information Management Studies recently.

    The results of the surveys were rolled up into a series of easily understandable tables and charts showing how Hanover measured up against the standards in key security areas. At the same time, the team was creatively leveraging the RFP process to gather more data.

    Bardin invited vendors to come in and demonstrate their intrusion detection and prevention products but to do it in Hanover's production environment. The result showed that while Hanover's inner network hadn't been penetrated, the exterior was under assault.

    The tests hit home with corporate management. "It showed that we may be in Worcester, Mass., but we're under constant attack from all over the world," Bardin said. "It raised awareness." He cautioned that IT pros should be up front with vendors if they plan to use evaluation data in this way.

    The security team compared the vulnerability assessment against a list of the biggest risks to Hanover's business. The results were mapped into four quadrants on a cost/risk chart. That set the priorities and the team immediately set about tackling the best opportunities.

    The presentation to company management had a few more bells and whistles. Bardin sought out data on which security projects other insurance companies were attacking. He also found a Gartner chart showing that security investments were likely to decline over time after the initial holes were filled. That made for a compelling argument for a stepped-up investment in security. And while Bardin said he'd always like to have more money for security, the company's awareness of the issue has improved from the top down.

    Hanover still hasn't reached its goals of a "zero-incident culture," but as a result of the comprehensive assessment, it has its plans in place and 97% of the employees have taken compliance training. "We know where we stand relative to most of our vulnerabilities," Bardin said. "We have a real good idea of where the gaps are and what we still have to fill."

    Paul Gillin is a technology writer and consultant and former editor-in-chief of TechTarget. His Web site is

    Dig Deeper on Security audit, compliance and standards

    Start the conversation

    Send me notifications when other members comment.

    Please create a username to comment.