Education, oversight, enforcement and more education

FST. Naturally, security is now a critical factor for any financial organization. How have you seen this area intensify in your time within the industry and how have managers’ attitudes changed over the years?

BB. Clearly the focus on information security has increased over the past couple of decades. The use of technologies increased. Abuse of those technologies grew and continues to flourish. And now we’re in a race to keep up as we implement countermeasure after countermeasure to manage the risks. The stakes are getting higher and people are more aware of the risks associated with information technology use. Consumers are aware and boards of directors are aware that careless use of technology can be very costly.

FST. Today, what are your biggest concerns as CISO? What threats pose the most danger to MassMutual’s all-important data and how do you stay one-step ahead of the bad guys?

BB. My biggest concern is in keeping one eye towards the future on our long-term strategy and another eye on all the things going on constantly all around us. Every day we need to address a myriad of threats to our data. We’re in a state of constant change. We need to react and adapt quickly and we need to think long-term at the same time. We work at understanding the threats from both business and technological perspectives. We rely on both human and technology sources for information on threats. We need to know where the threats come from, what form they come in, what the motivations behind the threats are. Then we go about seeing what we can do to counter the threats and mitigate our risks.

FST. Organized criminals are increasingly turning their attention to the financial sector using the internet. What makes your industry so attractive for the fraudsters and are they getting smarter and more cunning in their efforts?

BB. Fraudsters can be very cunning, there’s no doubt. I suspect there are smart criminals targeting many industries. Yet committing fraud doesn’t necessarily require great smarts. In fact, I would bet there are more average and below average criminals than there are masterminds. In general, criminals go after what they perceive as the easy payday. Terrorists and activists might have different motives. They might want to strike a blow or make a point or steal identities they could use for a whole host of reasons. Attack vectors might be sophisticated or simple. They might come by land, sea or air, Cat 5, WiFi or VOIP.

FST. Often, protection of customer information is down the customers themselves. How do you go about educating your clients on how to keep their details safe and what are some common mistakes made that criminals could exploit?

BB. We work with our business areas to help educate customers on steps they can take to protect themselves from fraudsters. Personal Computers are often the weakest link in an on-line commerce relationship. We recommend that computers be patched regularly to address software vulnerabilities. We also recommend that customers install and use software that defends against malicious software. Personal firewall, antivirus and anti-spyware software can help thwart many of today’s cyber threats.

FST. Do you work with your competitors to share information on security?

If, so what benefit does this offer Mass Mutual and the industry as a whole? BB. Yes, we share information where appropriate. There is great shared-learning amongst information security practitioners, particularly in the Financial Services industry. Members of my staff and I belong to and participate in quite a few security organizations. I encourage people to get involved, compare notes and build relationships. MassMutual benefits from being able to benchmark ourselves against the industry and by learning from the experiences of others. The Financial Services industry benefits by becoming more resilient as we all improve our security programs.

FST. In terms of compliance, how has MassMutual dealt with adhering to regulations and what has it meant to the company’s operations?

BB. MassMutual has a strong compliance program and we aim to coordinate our risk management and compliance activities to make optimal use of our resources. It isn’t a question of whether we’ll comply but rather, how quickly and how we prioritize.

FST. How do you deal with getting users to follow IT policies at MassMutual?

BB. Education, oversight, enforcement and more education. We find that it helps to remind people periodically what the policies are and what their obligations are to abide by them. There’s also a great deal of change in our workforce with people being hired and others leaving so frequent educational sessions are important to keeping people up to date on policy matters.

FST. Looking ahead. With security so important to financial firms, how do you foresee your side of the business expanding over the next few years?

BB. I’m glad this question makes reference to our side of “the business” because security issues are business issues. Too often people make the mistake of relegating security issues to some lost forgotten back-office IT place. I expect business people to increasingly recognize how critical security is to their success and so our involvement will continue to grow over the coming years.

FST. And what are the new threats that you face on the horizon and what technologies, such as wireless devices, may pose a threat for your staff, as well as customers and their information? It’s always difficult to be certain.

BB. Businesses and supporting computing environments are becoming more complex every day. With all that complexity come a huge number of potential weak points. In addition, the sophistication of those who would exploit systems is increasing. Security programs need to be thorough to ensure that all the weak points are covered and we need to get more sophisticated in our approaches and countermeasures. Today’s workforce is very mobile so our solutions have to travel well and our reach has to be global. We need to arm business people with solutions that enable and don’t impede them and we need to educate them well enough to keep them out of trouble. There are times when threats are just too great that’s when we need to take a firm stand and make a compelling argument that the risks are not worth taking.

Fast facts

MassMutual Financial Group is the fleet name for Massachusetts Mutual Life Insurance Company (MassMutual) and its affiliates, with over $450 billion in assets under management at year-end 2006. Founded in 1851, MassMutual is a mutually owned financial protection, accumulation and income management company headquartered in Springfield, MA.