Knowing the risks

FST. AIG is a Fortune 6 company with a huge number of customers and a massive amount of data to secure. What’s your overall strategy?

PDG. For my particular department running the security organization, we’re very focused these days on building collaboration between the divisions and building common platforms, common security infrastructure, to enable the business to do the things more efficiently. So we are really looking at where we can optimize infrastructure more than anything else.

AIG was sort of a heritage with a very siloed approach to solving business problems, or within the various business units, looking at IT solutions and security solutions. But recently there has been a refocus on getting better corporate governance and corporate structures in place, to get optimization out of the IT infrastructure.  So not everybody having their own data centers, but building regional infrastructures where people can come for IT services delivered to them, and we’re building the plumbing around security into that.

So the strategy from a security perspective and from an IT perspective is very collaborative, making sure that we’re having the right products and the right technology to deliver the new products and services that our customers are demanding of us.

FST. How important is customer satisfaction and how does that impact the overall IT strategy?

PDG. It’s very important. From my perspective I have two sets of customers. I have my internal employees because they need access to their applications, whether that’s HR or apps like benefits, salary information, or whether it is checking their email. So how seamless do you make that for them?  And today we’re definitely not seamless, so that’s the challenge that we have.

That comes basically back to systems that were built independently and not really integrated, so we need to bring these systems together, build consistent security infrastructure for that, so we have a major effort around that. The same problem is true for the external customer side. Whether you had a relationship with our auto insurance side, whether you had a life insurance on the other side, you may have two different accounts set up for you, but you can’t see that in the one seamless interface.

One of our major efforts is really doing that, delivering the firm kind of concept. AIG is promoting internally to get these applications to talk to one another so we can provide that seamless experience for the customer so that when they log into their online account they can say, “Oh, I have an elder insurance here.  This is what my rates are.  Here’s my life insurance.  This is my other benefits that I may have from AIG.”  So they get a consistent look and feel.  But that’s a long way to go and we’re building that out as we speak.

FST. When it comes to security there can be the danger of only seeing the symptoms rather than the causes. How do you work around this?

PDG. It depends on how we address the problem. It’s a little bit different on the internal side than the external side, so traditionally we’ve been focused on keeping the bad guy out. But business has changed so drastically with third parties providing services that it’s now about letting the good guy in and doing it that securely. Your perimeter is disappearing. 

Traditionally people have been focused on throwing firewalls up but that’s no longer the case because we’re opening ports on any given day to let people come securely into us.  So it’s really trying to get that overall picture of where the risks are. We have to move to where the risks are, where we have our most sensitive data and how we secure that.

So it’s a different mindset. We have been building walls around stuff, and now the walls are coming down. So you really have to look at your key infrastructure, your key data and what controls are we putting around that. It’s changing drastically.

FST. The challenges in information security risk management or IT risk management are fairly immature compared to credit loan risk, for example. How do you negotiate that maturity curve?

PDG. That’s actually an exercise we’re going right through right now.  As you said, everybody is familiar with the concept of credit market risk. What we’ve seen from IT risk management is that a lot of it is reactive. If I had an event and I would throw it at my boss, I would get budget to fix the event, budget would do the symptoms rather than looking at the cause of all of it.

So we’re actively looking at what metrics we can present to actually show that the investments that we’re making are actually paying off.  We have a major effort on looking at our overall infrastructure and looking at the events that are associated with it and how we you report back on that. We made a $1 million investment in data loss prevention and we’ve seen a longer data leakage here, data leakage there occurring, and we can actually measure it. So it really comes back to measurement and without measurement it’s hard to manage.

From an IT risk perspective we’re trying to adopt that standards that are out there. We’re actively pursuing things like COBIT and ISL as the guidelines for bringing us into that measurement capability.

FST. With such a rapidly changing business environment, how do you stay ahead of the curve on security issues?

PDG. Security is not just me saying what’s good for the company. We have divisional security officers who understand the business far better than I could at a corporate level, who are engaged with the businesses on a daily basis. They bring solutions forward too, so it’s not necessary that everybody has to come to corporate to say, “Hey, we need a solution to solve x.”  They will actually bring the solution forward and ask for validation at a corporate level. That’s really the collaborative effort that’s going on.

They want to pick the right solution and they sometimes need some validation of that at a corporate level, but it’s not that we’re in a dictating, exactly what they can use. It really comes a lot out of the business units to say, “Hey, we have this problem.  How do we solve it?  Do you think this is a good idea?” We reach out to other business units who may have similar problems and then try and work towards the best solution. 

FST. What’s the main area of focus for you in 2008?

PDG. Compliance, unfortunately. We’re still in remediation efforts around SOX and BASEL2 and things like that, so that’s one of the major challenges we still have ahead. A lot of systems were not necessarily designed with controls in mind.  Specifically security controls, having good processes and how people get access to data. There’s still a long way to go on that one. 
We’re still in remediation efforts on that. But as I always say, compliance doesn’t mean you’re secure. So we need to change that balance back again to our key assets and the security we need to build around that. After that, I think compliance will fall into place automatically. As I see it, we’re still in the very reactive mode when it comes to compliance.

Every day there’s a new law that you need to comply with and you can end up diverting yourself from the real key issues out there.  So although compliance is a hot issue, I think it’s sort of diverting us from the real issue a little bit.  So I hope we can get back into focusing on protecting our key assets and then the compliance piece will come along with that. That’s my main issue for 2008.

About Paul De Graaff
Paul De Graaff is SVP and CSO for American International Group, Inc. (AIG), a world leader in insurance and financial services. AIG is the leading international insurance organization with operations in more than 130 countries and jurisdictions.

Prior to AIG, he was Chief Information Security Architect for The Depository Trust & Clearing Corp., New York. He was named one of the Premier 100 IT Leaders by ComputerWorld magazine in 2006.