You know you've got a security problem but you don't have the budget to engage a consulting firm for a comprehensive...
security audit. What's an IT security pro to do?
In the case of Hanover Insurance Group, a $3 billion property and casualty insurer, the answer was to get creative. Jeff Bardin, newly hired as CISO at Hanover in late 2004, went to the library of publicly available assessment tools and used the RFP process creatively to assemble a comprehensive list of vulnerabilities. His team then used that data to alert top management to the risks and to attack holes methodically, beginning with the low-cost/high-benefit options and working down.
Bardin, a former CIO, faced numerous security shortcomings when he arrived on the scene. Encryption use was spotty, peer-to-peer software use was potentially exposing proprietary data to outsiders and one employee was even buying and selling guns over the company's Internet connection.
Bardin and his team kicked off a top-to-bottom assessment of the security landscape using proven and freely available tools. The IT staff filled out a National Institute of Standards 800-26 Assessment questionnaire that had been downloaded and modified with terms borrowed from the Capability Maturity Model (CMM), a widely used software best practices benchmark. "I knew the IT staff would understand the questions because Hanover was already a CMM Level 3 shop," Bardin said. The results helped identify deficiencies in IT practices and processes.
While the best practices education we going on, Hanover's seven-person security staff conducted a comprehensive audit. "We turned over everything, scanned everything, did physical walkthroughs, even sat in CEO's chair at night," Bardin told an audience of IT managers at the Babson College Center for Information Management Studies recently.
The results of the surveys were rolled up into a series of easily understandable tables and charts showing how Hanover measured up against the standards in key security areas. At the same time, the team was creatively leveraging the RFP process to gather more data.
Bardin invited vendors to come in and demonstrate their intrusion detection and prevention products but to do it in Hanover's production environment. The result showed that while Hanover's inner network hadn't been penetrated, the exterior was under assault.
The tests hit home with corporate management. "It showed that we may be in Worcester, Mass., but we're under constant attack from all over the world," Bardin said. "It raised awareness." He cautioned that IT pros should be up front with vendors if they plan to use evaluation data in this way.
The security team compared the vulnerability assessment against a list of the biggest risks to Hanover's business. The results were mapped into four quadrants on a cost/risk chart. That set the priorities and the team immediately set about tackling the best opportunities.
The presentation to company management had a few more bells and whistles. Bardin sought out data on which security projects other insurance companies were attacking. He also found a Gartner chart showing that security investments were likely to decline over time after the initial holes were filled. That made for a compelling argument for a stepped-up investment in security. And while Bardin said he'd always like to have more money for security, the company's awareness of the issue has improved from the top down.
Hanover still hasn't reached its goals of a "zero-incident culture," but as a result of the comprehensive assessment, it has its plans in place and 97% of the employees have taken compliance training. "We know where we stand relative to most of our vulnerabilities," Bardin said. "We have a real good idea of where the gaps are and what we still have to fill."
Paul Gillin is a technology writer and consultant and former editor-in-chief of TechTarget. His Web site is www.gillin.com.