COVER STORY
Living in the
Copernican
Revolution
Developing a Security Posture that Aligns
to the Ever-Changing Threat Landscape
I
n his famous allegory of the cave, Plato
argues that the invisible world is the most
intelligible notion of the visible world. This
forms the basis of Platonic epistemology,
whereby Plato concluded that knowledge can
be attained from the world of timeless essences
and that opinions are based on the shifting
world of sensations.
But what happens when the images in the cave are infinite—always
changing as subsequent philosophers concluded? Knowledge be-
comes subjective and variable. This certainly makes sense in the field
of information security, considering that informa-
By Patrick E. Spencer tion technology is based on mathematical calcula-
tions. Lynda Fleury, the assistant vice president
and chief information security officer at Chattanooga, Tennessee-
based Unum Group, and her team are finding this premise to be true,
as there is no “Alpha and Omega” (‘beginning” and “end”) to informa-
tion security.
Getting what you ask for
Fleury first joined Unum, a FORTUne 500 leader in disability, group
life, long-term care, and voluntary benefits, in 1984 as an IT audit man-
ager. Her transition to information security and compliance was actu-
ally by accident. “One day I happened to ask the security manager, who
was managing the mainframe environment, what he was planning to do
about the security for all of the different file servers that were showing
up with the OS/2 operating system loaded on them,” she recalls. “It was
soon thereafter that I had the opportunity to serve as the special project
lead for building out the company’s first PC-based security program.
Lynda Fleury, This was December 1989, and I haven’t turned back since.”
AVP and CISO, Unum Group
Photos by Michael Brunetto
14 CIO Digest April 2009
When asked to cite her biggest accomplishment variance of malware, this is something that definition-
over her nearly 25-year career at Unum, Fleury indi- based detection can address only so far,” says Brad
cates it goes back to 2001, when her team consisted Shoop, security architect II. “Behavioral and heuristic
of just three IT security professionals. “We had detection is going to be critical. But that won’t be
been charged to build out a best-in-class informa- enough. end-user awareness is also key. Simply be-
tion security program, and we simply couldn’t go to cause you think that you live in a safe neighborhood
senior management and ask them for 20 or 30 IT doesn’t mean that you won’t get broken into.”
resources and millions of dollars in funding,” Fleury
says. “It was important to build trust as well as a
solid foundation, an effort that spanned a period of
years and was ongoing.”
Ingredients of security success
The basis of the success Fleury has achieved she
credits to her team’s due diligence, proactive man-
agement, and accountability. She oversees a team
of 30 IT security professionals who are recognized
for their innovation and dedication in pushing
initiatives that help drive the business forward.
“The fact that we haven’t lost the entire network as
a result of a malicious intrusion in more than five
years speaks volumes to the hard work and efforts
of the entire team,” she remarks.
Fleury also cites the support she has received from
senior management as a critical factor in building out
the security program. “We’re an insurance provider,
and one of the measurements includes conducting
business with our customers in a secure fashion,”
Fleury says. “Our plans start at the top, with the strate-
s
gic business initiatives of the CeO, and we continually
align our security programs to those.”
Lynda Fleury, AVP and CISO (bottom left); Delivering the
Brad Shoop, Security Architect II (top
“The entire senior management team under- left); Mike Landreth, Systems Manager Benefits: Unum Group
stands the importance of maintaining a com- (top middle); Chris Dupuis, Security Founded: 1848
Architect II (second to right); and Tom Headquarters: Chattanooga, Ten-
prehensive security and compliance posture,” O’Brion, network Security Consultant nessee
Fleury adds. “If something goes wrong in our IT (bottom right).
Workforce: Approximately 10,000
infrastructure, we stand to lose the entire network Fortune Ranking (2008): 251
or experience a significant disruption to the busi- Fleury continues: “The good ole’ Customers: Protect 25 million
ness.” This cascades not only to the productivity days of the mainframe and the closed, people and serve the needs of
of Unum’s 10,000 employees but downstream to private network with no connection to 171,000 businesses worldwide,
including 42% of the FORTunE 500
customers. As a result, Fleury is responsible for the outside world are long past. That Business Units: unum uS,
reporting on the status of security patches, the simply isn’t reality.” Despite its chal- unum uK, Colonial Life
threat landscape, and compliance with various lenges, however, advances in technol- Benefits Paid (FY2008): nearly $6
regulations such as the Health Insurance Portabil- ogy have allowed Unum to become billion
ity and Accountability Act (HIPAA) and Sarbanes- a global FORTUne 500 company. Revenue (FY2008): $10 billion
IT Organization: 650+ IT profes-
Oxley (SOX) on a business dashboard that goes “Technology moves at a very rapid sionals, including 30 IT security
to senior management each month. These data pace,” Fleury explains, “and security professionals
metrics also include notations around the quality maturation tends to lag behind with Website: www.unum.com
of work performed by her team. the introduction of new technologies.”
“What I’ve tried to communicate to our senior
Daily evolution management team is that there is no beginning and
The virtual explosion in the growth of the threat land- end to our information security efforts,” Fleury says.
scape is something Fleury and her enterprise Infor- She goes on to explain that a security program must
mation Security & Risk Management (eISRM) team evolve every single day in order to keep pace with the
take seriously. “When you look at polymorphism and expanding threat vector. “Gone are the days of kids
obfuscation and the almost ridiculous increase in the simply wanting to make a name for themselves. It’s
symantec.com/ciodigest 15
COVER STORY
“
now criminal activity focused on ex-
tracting data and profiting from it.”
There is no beginning or end
The leadership of empowerment
to information security.
”
When it comes time to soliciting
feedback from several different
members of Fleury’s team on what
It must evolve every day.
makes her successful, her leadership –Lynda Fleury, AVP and CISO, Unum Group
skills quickly come to the forefront.
“The biggest thing for me is her
understanding of security, respect recalls. “It was truly enlightening the team can focus on what is really
for our perspectives, and unwaver- to join an organization that had important—critical alerts, issues
ing focus on the business,” Shoop already surpassed that hurdle.” important to the business.”
observes. “She puts a lot of trust in Chris Dupuis, security architect In 2005, Fleury and her network
us, allows us to do what we think is II, possesses a slightly different security team opted to outsource
necessary, and then backs us up. I perspective than Landreth and mail security to MessageLabs,
am the newest member of the team, Shoop on Fleury’s leadership skills. which Symantec acquired in late
“I’ve worked on other teams dur- 2008. “We previously managed
ing my tenure at Unum, many of mail security in-house,” Landreth
Two-decade Security which were topnotch,” Dupuis says. remembers, “and it was a major
s
“However, Lynda provides a level of headache; 24×7 ‘babysitting’ to
Career Pays Benefits empowerment that drives quality prevent malware intrusions and
and efficiencies attained by few spyware and to deal with false
W ith two decades of experience in
information security, Lynda Fleury, the
AVP and CISO at unum Group, is recognized
teams and organizations.” positives.” With the Hosted email
Security Solution from Message-
as a thought leader in her field. She built When to outsource? Labs, Fleury was able to reallocate
the Enterprise Information Security & Risk In order to stay on top of evolving two IT FTes to other security-
Management team at unum from the ground security threats, Fleury and her related initiatives. The solution
up, inculcating best practices, instituting team work with Symantec on vari- is also saving Unum on storage
security standards, instilling an infectious ous fronts. In 2004, they opted to resources, as the spam is filtered
passion across the entire staff, and creating outsource security monitoring and out before it hits the network. In
synergies that connect information security management of their network to Sy- addition, fewer false positives and
with the business. mantec Managed Security Services. virtually no spam drive organiza-
In addition to the internal loyalty and respect
“Others in my peer group, especially tional efficiencies—from end users
of her 30-member staff of professionals and
with the current economic challeng- to Fleury’s eISRM staff.
stalwart support of the senior management
team, she has garnered external recognition es in front of them, are looking to in- “MessageLabs is a great solution
that includes the 2009 CSO Compass Award source network security monitoring for us,” Landreth says. “We’re able to
from CSO Magazine and the 2008 Information and management,” Fleury reports. outsource our mail security infra-
Security Executive Southeast Award. “However, with the rapid growth in structure, yet we are able to maintain
the threat landscape and the corre- email policies based on our business
sponding 24×7 requirements, I really requirements. With the MessageLabs
and the thing that has impressed think it is impossible to replicate the solution, we don’t need to submit a
me the most is the appreciation she value we gain from [Symantec] Man- request and wait for hours; rather,
shows to everyone on the team.” aged Security Services.” Beyond the we are able to make the change in
Yet, at the same time, eISRM Sys- reduced security risk and enhanced real time ourselves.”
tems Manager Mike Landreth notes operational efficiencies, Fleury is
that Fleury is willing to serve as a able to reallocate up to three IT FTes Getting deeper security insight
counterweight, pushing the team to who would need to be dedicated to About two years ago, the Unum
look at the broader picture and to monitoring and managing network team added Symantec DeepSight
consider the impact of actions on the security to other tasks. Threat Management System on
business. “It ultimately boiled down to top of Symantec Managed Security
The intertwining of information ensuring that I’m allocating my Services. “It provides us with virtu-
security and the business is also resources to what matters most,” al real-time information on issues
an important factor. “This was not Fleury says. “Rather than culling related to IDS, IPS, our Web secu-
the case in my prior roles,” Shoop through piles and piles of data logs, rity gateway, and other pieces of
16 CIO Digest April 2009
our IT infrastructure that help us To streamline endpoint manage- age, the savings extend into the
hone in on specific threats to our ment on its approximately 1,400 data hundreds of thousands of dollars.
environment,” Shoop says. “The center servers and help ensure their
threat landscape changes daily, security, the Unum IT team also uses Following in the footsteps
and DeepSight helps prioritize our Altiris Server Management Suite. The of Kant
efforts on what is important.” team provisions a standard con- Many believe that Immanuel Kant in
And as many of these tasks were figuration across all of the different his Critique of Pure Reason put the
previously performed manually, systems—from UNIX, to Microsoft “final nail in the Platonic epistemo-
the labor cost savings is dramatic— Windows, to Linux—and maintains a logical coffin”
equating to as much as 80 hours of 28-day patch management window when he argued Podcast
full-time employee (FTE) time each using it. that the mind Check out the Executive Spotlight
month, depending on the malicious is only capable Podcast with Lynda Fleury and
other members of her team at
activity that is happening in the wild. The benefits of email of thinking go.symantec.com/unum
Instead of spending valuable time retention and e-discovery in terms of
compiling threat reports, the team is In order to address compliance- causality and
now able to focus on initiatives that related requirements around email thus knowledge is determined by the
drive the business forward. retention and discovery, the Unum continuums of space and time. In-
IT team was an early adopter of deed, the Copernican Revolution had
Ensuring compliance with Symantec Enterprise Vault, imple- a far-reaching impact across many
security standards menting a solution with the help disciplines that is still felt today.
Fleury and her team manage infor- of Symantec Consulting Services Fleury and her team at Unum
mation security through various that included Discovery Accelerator have grasped the implications of the
industry frameworks. She intro- and Microsoft Exchange Journaling Copernican Revolution for informa-
duced ISO 27000 and 27001 as a in 2004. With responsibilities for tion security. There is no beginning or
standard in 2001, and the team legal discovery, Fleury and her team end to information security, but rather
also adheres to COBIT and COSO herald the benefits of the solution. it is a variable that must be addressed
(Committee of Sponsoring Organi- “Prior to the implementation of daily. And with the right leadership,
zations). “We’re heavily regulated Enterprise Vault, anytime we needed strategies, and technology partner-
in the insurance industry—from to perform an email discovery, ships, they are poised to continue tak-
federal and laws, to privacy and se- whether it was in support of the legal ing on the infinite and ever-changing
curity issues, to annual Sarbanes- department for a litigation matter challenges of information security. n
Oxley audits,” Fleury explains. or from an employment perspective,
“Automating security and compli- we were looking at a labor-intensive Patrick E. Spencer (Ph.D.) is the editor
in chief for CIO Digest and the author of
ance reporting is critical for us.” undertaking,” Fleury remembers.
a book and various articles and reviews
Symantec Enterprise Security “We either had to grant ourselves published by Continuum Books and Sage
Manager (now part of Symantec access to get into each employee’s Publications, among others.
Control Compliance Suite) was mailbox to conduct the search, or we
first introduced into the Unum had to perform restores of—often—
environment under a prior data hundreds of tapes.” Ensuring Security and
s
center outsourcer (Unum has since With hundreds of hours of Compliance with
re-assumed management of its manual retrieval and searches Symantec’s Help
data center), which had some strict associated with each discovery > Symantec Managed Security Services
guidelines around standard best request, the Unum team has seen > MessageLabs Hosted Email
practices and configurations. “We a dramatic improvement in IT staff Solution
initially acquired [Symantec] En- productivity, with as much as one > Symantec Enterprise Vault
> Symantec DeepSight Threat
terprise Security Manager in order FTE reallocated to other tasks. In
Management System
to maintain well-documented con- terms of email storage, with nearly > Symantec Enterprise Security
figuration standards,” Fleury says. 20 terabytes today, Unum would be Manager
“We’re now in the process of using looking at as much as 40 tera- > Symantec AntiVirus (in the process
that baseline to build our security bytes without the single-instance of migrating to Symantec Endpoint
Protection)
controls documentation,” Landreth archiving and data compression
> Altiris Server Management Suite
adds. “This will also include a capabilities of Enterprise Vault. > Symantec Consulting Services
monthly security health check to When this is coupled with the abil- > Symantec Education Services
ensure that we don’t have any gaps ity to move email archiving from > Symantec Essential Support
or vulnerabilities.” tier-one storage to tier-four stor- Services
symantec.com/ciodigest 17