Scuttling Scalawags (cont.)

CIGNA's Craig Shumard on battling 21st-century pirates

"If someone in our United Kingdom office decides not to spend the money or resources on shredding documents and some dumpster diver comes across a customer's medical records, how do you put a price on that? The headlines will extend far outside the UK. What's the potential impact of a lost laptop? Not much if the data is encrypted. But if not, well, you've seen the results in the newspapers over and over."

When 'Just say, No' doesn't say enough

Among the most challenging issues CIGNA and its information security team face is getting people to understand what the information protection team does and why. "We need people to understand that we are not the 'no' people. We need them to understand the ramifications of some of these seemingly innocuous activities, such as chain letters. It's as simple as someone sending an email that contains something unflattering about a customer. Or, someone might go to an online community seeking to resolve a problem about an issue they're having with a server or a backup routine. Unknowingly, they provide information about our environment, and because they've listed their @cigna.com address for replies, it potentially gives someone the information they need to better understand how to compromise our environment. If people understand 'the why' behind a policy they are more inclined to follow it."

Also demanding attention from CIGNA's IP organization are issues like network segmentation. "We have a big initiative underway around network segmentation that will take us to the next level of protection. We're spending a lot of time and resources on ensuring that our third-party providers-particularly those offshore-are compliant with our policies. And we're continuing to work on encryption for backup and removable media," Shumard says.

One of the least troubling tasks for Shumard is aligning IT security to the business. Because he and his team focus on integrating into the fabric of the company's operations, policies, and procedures, alignment now comes almost naturally.

Avoiding future shock

When looking ahead a year, Shumard is excited by CIGNA's future and the role his team will continue to play in battling the information "pirates" of the 21st century, enabling and supporting the company's business goals and objectives:

"There will be changes in technology, new thumb drives, peer-to-peer networks, and file- and folder-sharing programs. But your weakest point will always be the individual sitting behind the computer. The six-plus year investment we have made in employee awareness training, technical solutions, risk analysis tools, and people development have followed our multiyear road map, which has positioned us with good insight into what we need to be doing, and in a better position to deal with them a year from now."

Dave Clarke Mora is editor in chief of CIO Digest.