CSO of the year: Thomas Dunbar, global chief security officer, XL Capital

The efforts he undertakes on a daily basis to achieve these and other mandates are the primary reasons why the SC Magazine Awards U.S. for 2006 saw him walk away with the title of CSO of the Year.

During his four years at XL Capital, a company worth some $53.3 billion as of June 30, 2005, Dunbar has focused on ensuring that a Fortune 500 company establishes a robust defense-in-depth structure fast.

As a provider of insurance and reinsurance coverage and financial products and services to industrial/commercial/professional service firms, insurance companies and other enterprises, XL's most important asset is its data. Dunbar has played a key role in making sure that this data is protected and that business processes associated with its use are streamlined.

"We're here to mitigate risk, making sure the data's protected and available when the data's needed so the company can function," he says.

To accomplish this, he set up policies and standards, implemented a strong security architecture, organized user training and awareness programs and more. His ten years as an IT security professional helped him with these tasks, especially his former job at Citigroup, where he worked for "the grandfather of all CISOs Steve Katz," he says.

"Last year, I was promoted to senior vice president. I've had the same functional title, however. I'm the global IT chief security officer, so the functional title doesn't change, but my stature in the company does," he notes, adding that the promotion is recognition that he and his team have built a comprehensive IT security program.

With six staff members, Dunbar oversees the security structure that protects information for about 3,500 employees located in 78 offices across some 29 countries.

"I own IT security from a global perspective. So it's making sure that we have policies, standards, procedures in place that manage that across the globe," he says.

Steve Katz, the former CSO of Citibank, says Dunbar was well-equipped to take on the newly formed CSO position at XL four years ago and is now widely sought after. Because he takes a pro-business approach to IT security, he constantly shows his bosses how security is valuable to the company -- something some information security practitioners still have difficulty doing.

"He was able to gain credibility in a short amount of time [because] he positioned issues [XL] is dealing with in terms that the business can understand," says Katz. "He made something out of nothing."

To gain a better idea of why this year's SC Awards judges placed the majority of their votes with Dunbar, we sat down with him to learn more about his IT security program, and goals for the coming year.

Illena Armstrong: I'm glad that we're finally able to connect. Seems we both have quite busy schedules given the time period.

Tom Dunbar: Yes. I picked up responsibility for our IT Sarbanes-Oxley compliance for 2006, so we're wrapping up 2005 and I'm trying to understand and learn that process. My calendar's extremely full until the middle of February.

Q: So you're feeling lucky to have that extra duty?

A: Absolutely -- an opportunity.

Q: You also have to contend not only with regulations in the U.S., such as Sarbanes-Oxley, but also with other countries' regulations because of where XL offices are situated?

A: Yes. the Financial Services Authority (FSA) in Europe, in the U.K., is a big one.

Q: Do you have to tweak policies and standards for each country?

A: We've been through that and discussed it. It's uniform around the globe. You'll always have the caveat that local law takes precedence, but we really haven't run in to too much of that in terms of policies and standards. They're all out there. It's a global policy. It's out on the portal and there are a couple of minor things in some of the countries that have different privacy laws. So, for instance, in France when you implement an internet usage policy, you may need to include some additional wording that is required by the workers' councils in [that country].

Q: So updates to policies and standards can get complex?

A: Not so much on the technology side. It's when you get into where it affects the end-user that it becomes a little bit trickier. I work with our compliance and legal departments to make sure that everything is done as one. We actually have embedded an end-user risk management usage policy and an internet usage policy into the company's global policies. So rather than being stand-alone, we have an entire policy statement that includes those two. It includes other directions, such as ethics, fraud, confidentiality and requirements like that.

Finding support

Q: What have been your primary IT security achievements in the last year of which you're most proud?

A: I think the recognition of the program. XL grew by mergers and acquisitions. The company, this year, will celebrate its 20th anniversary. So in 20 years it has grown from two employees to the 3,500 it is now. When I came in during January of 2002, there was a need to implement a robust, global security program. That was a challenge because there were no consistent policies and, in certain cases, there were no policies and standards because you had so many siloed organizations.

Q: Back in 2002, though, a company lacking such a program was not an aberration.

A: No, but because we are an insurance and financial organization, we did have a bigger profile than other companies. So it was coming in and having the opportunity to build this thing from the beginning. It wasn't a full green field, but I did have a lot of freedom to try to get it in. And it was very interesting because it was me and no staff -- a totally matrix influenced type of position.

Q: So when it was you and no staff, how large was the organization?

A: It was probably around 3,000, maybe 3,100.

During the last year, I had the opportunity to present the program to our executive management board and to walk them through what we have built in IT security. It was a chance to have them understand that we had a total defense-in-depth program and educate them to the risks and how we address them. So when you asked me what I feel most proud about for 2005 -- and we had a lot of projects going on -- it was the culmination of this understanding that security is essential throughout the entire organization. We had succeeded in reaching from the boardroom through the entire organization that security was everyone's responsibility. So through different venues -- through our employee newspaper, XL Connections, through our portal, through emails -- we had done an effective job in making sure that everyone in the organization understood what security was, what it meant to them, and why it was important.

Last year, for example, we deployed intrusion prevention services (IPS). And while a lot of companies are still wrestling with whether to implement or not, we were able to use our success and momentum from the past three years to demonstrate what IPS could do for XL. There's a trust that our security team will build the appropriate level of security for XL. We're not going to go out and aim to be the most secure. We're not going to make sure that we have every bell and whistle, but we will secure XL appropriately from what is out there -- the kind of threats and risks that would affect our organization.

Q: So it's all about the return on security investment (ROSI), the cost-risk analysis thing?

A: Absolutely. Last year, [a big advance] was just getting the feeling that people get it. They understand security. When questions come up they know there are people to go to and get answers. We've arrived at the point where IT staff understand that if they're designing an application that has visibility through the internet, they must have it tested prior to production to ensure that they've secured it and that we're not going to expose the company. They understand that there are risks in what they do and that we're here to help them mitigate the risks before they go live. It's also working with them to make sure it's not last-minute, that they know these things need to be done and that the team's here ready to support them.

Q: The achievement of having both your business units and senior management team understand the need for and business benefit of IT security is great. But, on the more specific projects, what processes and/or solutions help you continue to get the word out and make clear to end-users during everyday activities that security is not an impediment?

A: During 2005, we implemented the first phases of our One Identity Program [for end-users]. We recently published a case study on our program with Unisys and RSA. Our goal is single sign-on, or as close as we can get. We would like all users to only have one identity and one password. In January 2005, we actually went live with simplified sign-on. What happens now from the user's point of view when they log onto the system in the morning, they get access to their desktop, they get access to the network, to email, to the portal, and to over 100 different other applications -- mainly in the collaborative space -- all with just that one access. From a user's point of view this is a really big deal.

We did a feedback session through the internal portal after we went live. We explained what it was, we did the training and then we asked for feedback. For instance, we asked if the project was helpful, if users would like to see it extended, if it increased their productivity, or if they gained at least three minutes during the day. We received about an 87 percent approval rating that verified that from an end-user's perspective this was huge.

With the decreased number of IDs and passwords, [however, we have had to explain] to our users throughout the year why passwords are so important, and we have provided examples on how to create a secure password without it being too complicated. We periodically test passwords and communicate back to the employees how we are doing as a company.

We've done many other things from a user point of view that [allows them] to see security as something that is essential and, I wouldn't say it's transparent, but it's not causing them the type of issues that they used to have.

Q: You're using RSA, so why no tokens?

A: The place we use tokens is for remote access. If you're in the office, we still rely on a strong password. My goal is to eventually use tokens, but we're not there yet. For 2006 we'll be implementing the next phases of our One Identity Program and, at that point, if executive management agrees, we will turn it on. The capability will be built and ready to go, but it's one of those things that will take a little getting used to. Probably we have about 40 percent of the population now who have laptops and are used to the fobs, but for people who never carry a laptop and come into the office, having them get used to a fob is going to take an awareness campaign as to the benefits to the users and to XL.

Q: So your hope then is to have 100 percent of the user population using secure tokens in the next year?

A: That would be a goal. It's not something that has been approved yet, but it is a goal.

Concerns about security projects

Q: Were there any difficulties you faced undertaking these various efforts?

A: There's always some push-back on any kind of project you want to do. One of the good things here is that [XL] is a very matrix-managed organization. You achieve your successes through influence. So you constantly have a campaign on where you're going, why you want to go there, and how you're going to get there. By doing that, you don't get as much difficulty, as much push-back. You try to be up front about it and try to communicate to people what we're doing -- which is one of those things that many IT organizations don't do well.

We do have a very good process within the organization, where for any IT spend, any big IT project you want to accomplish, there's a thorough approval process via the IT Executive Management Committee. And when you go through this process, you lay out not just what it's going to cost, but you also do the return on investment, you also show the benefits and the risks of not completing [the project].

This allows the committee which is made up of our CIOs as well as business executives, to understand upfront what you're going to do, how you're spending the money and then what benefit it is going to be for the organization afterward.

There is some difficulty if it's something that's not going to benefit the entire organization, if it's going to benefit one segment versus another. But security is pervasive throughout the organization, so what we do is going to affect everybody. And we talk about it from making the end-user's life easier, giving them productivity, giving the organization additional security, lowering risk, things of that nature.

Q: Do you feel then that you are getting the support you need from your colleagues, your business units and bosses? Are you getting enough budget?

A: Yes. Everybody goes through budgets and you have priorities, but I do get the support there. One of the things that the executive management board [does] pay very close attention to is spending and budgets, and I usually have their 100 percent support. I'm very lucky in that regard. The two executive vice presidents who have managed that committee 100 percent support that the program is the right program and that we're spending money effectively and getting the required results.

Q: When you're undertaking various projects, do you have to work with managers of various business units?

A: Yes, senior managers from the business units and their respective CIOs are on the executive management board and part of the review and approval process, and not shy to share feedback.

The way we're structured within XL, there are three principal segments. We have insurance, re-insurance, and financial products and services. There are three CIOs for those segments, so a lot of the work is done with them. They are continually meeting with their senior business people. So I can work through them and with them. If I need to get to senior managers, the door is open to get there.

Q: So is your budget part of the IT budget?

A: Yes.

Q: And who do you report to?

A: I report to the global CIO.

Q: So there's a CIO for each of the three segments and then there's a global CIO who oversees them. Do you like that structure or do you find at times there's a conflict of interest?

A: We've had discussions. My boss is terrific. He pretty much lets me run autonomously. So while I report directly into him, go to his weekly staff meetings, planning meetings, and he has ultimate control of the budget, I do have the authority to manage the program in a somewhat independent manner.

I also have a dotted line relationship into our risk committee, so I do have other avenues. I work very closely with our audit and compliance departments as well. So while I report directly into the global CIO, there's enough matrix management that I can get to where I need to be for any topic.

Q: So you have a separate internal auditing department. Do you have a chief risk officer?

A: We have a chief risk officer, who is chair of the risk management committee.

Other projects on tap

Q: What else is on your agenda for this next year besides extending the One Identity Program?

A: That's a big one for us. We're going to deploy RSA Sign-On Manager so that we'll extend simplified sign-on. There will be even fewer applications where the user will need to authenticate.

The other big one for us is network access protection. That's just huge for us because, like most organizations, the greatest risks are internal. And you still have locations where people can walk into an office and, once they're in, can plug their machine in.

So we're working right now on a project with vendors to find a way to say [these users] are quarantined until we say they're [allowed] on the network. And there are a lot of solutions out there. We've talked to a lot of vendors. We're going to find the right one for us this year. That's very big on our agenda.

Q: So you're looking at folks trumpeting Network Admissions/Access Control -- the Ciscos and Microsofts of the world?

A: Absolutely. There are just so many ways you can do it. You can do it through an appliance, through thin clients, fat clients. And we're trying to find the right way to get this done.

One of the other big things that's going on -- it's not one of my team's projects but we're involved with it -- is that the company's going to go to a managed desktop this year. So our desktops throughout the entire organization will be very much locked down from a security point of view. With that we'll have a much better idea of the footprint of our desktops and laptops and we'll be able to identify non-XL equipment and make sure we start quarantining them.

We call it the managed desktop, where we will have a consistent desktop throughout the organization and it will be a secured, locked-down desktop.

Q: And so the implementation of the NAC project is to be done by the end of the year?

A: Yes, hopefully we'll have it done by the third quarter.

Those are the main ones this year, but one of the other things we want to do is expand our awareness program. Over the last four years, we've gotten the logical hurdle taken care of and we now want to make sure we continue to educate our end-users. We've got the policies there, training about passwords and other things that are big-ticket items, but now we want to get into more targeted things.

We're going to work with our communications department and use the various avenues -- again, the employee newspaper, the portal, emails -- and start focusing on security around laptops, USB tokens and spyware. I mean, we had these topics before, but they're more alert-type-of-things, make you quickly aware. Now we want to do more on the educational side of things.

Q: In expanding the program, will there be on-site or web training?

A: We haven't gotten to that point. We are thinking that, in addition to the communications vehicles, of organizing an awareness day. Even though we have 78 offices, we have some rather large offices with 300 to 500 people. We're thinking we'd like to get to those offices and do an awareness day and do something more with new employees.

Challenges this year

Q: What are the major challenges financial organizations will face this year?

A: Network access protection. Generally, you want to be able to not worry when you invite partners, customers, brokers, whomever into your organization -- and a lot of them come with laptops -- that somebody's bringing that threat in with them and sending it out into the network.

It's finding the right solution. Right now, Microsoft certainly understands [the problem] and [a solution] will be part of their offering in 2007. {But] I don't think organizations can wait until 2007 to get this in place. There are a lot of us running around right now [to address this problem].

There are different levels. You've got your machines that are 100 percent protected. Then you've got people who are traveling -- they're trusted but semi-trusted, so how do you react to their machines and how do you do a health check-up on them and let them back in. Then you have the untrusted machines. So how do you put them into quarantine to make sure they're somebody you want to let in.

There are a lot of people you want to let in, but you've got to know who they are, what they have and what they're coming in for before you give them that trust status -- even if it's for a very limited time.

Compliance is another big issue. We've done a lot to ensure compliance with Sarbanes-Oxley. There are solutions out there to help you understand if you have a comprehensive program in place and if you're covering all of the 'sweat' factors. These automated tools advertise that you can plug in your program and have the tool [understand] the requirements of legislation such as Gramm-Leach Bliley, Sarbanes-Oxley, HIPAA, FSA, etc. and [define] where your gaps are. It would make the whole compliance testing simpler if those tools did what they're advertised to do.

Q: And that seems to be a problem. Some folks as of late have said they'd like to see fewer solution providers saying their product will make companies compliant. There is no panacea. Is it problematic trying to sift through the marketing hype versus the reality?

A: Very much so. We've had vendors in and we've talked about it and I'm not finding, like you say, a panacea. Some of them are getting closer, but the cost of them is daunting. You've got to find a pricing model that fits a smaller organization like XL versus much larger organizations. It's trying to make sure they match up to a [particular model], like COBIT. How often are they going to upgrade it, how many of the different laws are included . . . We went through a lot of work on Sarbanes-Oxley and are currently looking for a tool that will handle that, but I want to do more than Sarbanes. We did a lot of work this year on making sure that, even though we don't have a lot of personally identifiable information, we were compliant with HIPAA.

We've done some of the identity management and we've really focused on internal right now. We're going to be extending this externally. Finding the right solutions externally to make sure you can bring your customers and brokers in. So do you want to be doing that focusing on your own solution or do you want to move to a federated identity model? We'll be struggling through that this year.

We've got to figure out ways to do more with brokers and customers through extranets. We have few extranets at this point. We know [they are] something we need and we want to make sure that we build [them] from a central model. We want to try to build the core infrastructure through our One Identity Project and then re-use the coding, the language and the authentication to manage [them] centrally. We're not seeing that the company is ready for a federated identity, but from an IT point of view we're thinking we have to be building it now to be ready even if it comes in 2007, 2008.

Q: Is there any particular talk surrounding solutions last year you've found to be untrue this year?

A: We did start the network access protection and we just found that nobody was really ready last year. I'm hoping to get there this year. That's one where we know there're a lot of vendors working on it and we expect to see it this year, but it's going to be a long road to get there.

Q: As far as the threat landscape, is there anything that keeps you up at night?

A: There's always zero-day. They're the types of things that [make you watch] the SANS [Internet Storm Center] every day. Those kinds of threats that [make you wonder] if you're going to be ready for the close-to-zero-day [attack] when it comes. [They] are the ones that get me.

Q: What sources do you turn to then to keep an eye on these and other threats?

A: SANS Internet Storm Center is where my team goes everyday. We also subscribe to an alert service. And also we have outsourced our IDS/firewall monitoring to a managed service provider, so they have a bigger view of what's going on in the world as well. We rely upon them to be giving us updates if they see anything that's coming that might affect our service.

Q: What's your best advice to others in your position when it comes to building the proper security program?

A: It's having the overall picture. It's making sure you are spending your funds over a range of items so you can hit the various risks. That was one of the great things having come through Citigroup with Steve Katz and the team there, understanding that you're not going to find any one item that's going to do it all.

That whole 80/20 rule is just so important. If you find a solution that gives you 80 percent and then another that gives you 80 percent, and then another, so that if you keep looking at all the risks from the outside through the inside and keep finding solutions that will get you that 80/20 eventually, you're going to get closer to that 100 percent.

It's having the holistic view is what we've found has worked for us.

A CSO'S LOT: Tips to prevent burnout

In the course of a day, a chief security officer is often required to deal with literally hundreds of interactions with management, colleagues, customers and suppliers. Many, if not most of these exchanges, are unplanned, unscheduled and require some type of action or decision. And with mobile technology, these interactions do not stop just because you have left the office.

If you feel burned out from the cumulative effects of this reality, here are some ideas that may help you regain some control.

Develop and follow your own organization's game plan -- Coaches in professional sports spend most of their time planning for games, and then adhere to that plan during the chaos of the actual game. Meet annually with your team to set strategic security goals for the coming year and develop a plan. Set tactical goals at the beginning of each month and take time each morning to plan your own day before others do it for you.

When a potential supplier cold-calls, follow your plan, not theirs. Ask them to send you a short summary of what they are offering and state that you will get back to them if you are interested.

Practice triage -- Triage is the technique used in emergency rooms to ensure that patients with life-threatening injuries receive the highest priority for treatment. When you receive a request, write it down, classify it and ,unless it is truly time or mission critical, return to working on the important goals you established in your daily plan. In the fog of a busy work day, it is easy to lose sight of what is really important.

Leverage your team and focus on helping them succeed -- Games are won by the players on the field. Most organizations with a CSO are large enough so that the CSO should serve as a player-coach, not the star. Communicate regularly with your team and ask about what obstacles they are encountering. Spend more time teaching and coaching and less time trying to do it all yourself.

Take yourself out of the game and have an off-season -- As a CSO you could work 7x24x365 if you let that happen. Learn to delegate. Set boundaries and establish protocols for when things get escalated to you, and when you are off-duty. And take a vacation and "vacate." SQL Slammer hit when my wife and I were on a Caribbean cruise with no internet connectivity. The team did a great job handling things.

--Dennis Devlin, VP, CSO, The Thomson Corporation

CSO OF THE YEAR: Thomas Dunbar

Thomas Dunbar, global IT chief security officer, is responsible for XL Capital's overall global IT security program. This includes the company's IT security strategy, tactics, planning, governance, architecture and operations.

Dunbar is also responsible for the company's security policies and standards, including information risk management. Additionally, he manages the global Disaster Recovery Program for the XL organization.

He joined XL in 2002 as the company's first Global IT CSO, and was promoted to senior vice president in April 2005.

Prior to joining XL, he was director of Information Security Programs at Citigroup, where he was responsible for the management of information security officers through the Citigroup global network and the direction of IS programs including policy, standards, training, awareness, metrics and financials.

Dunbar has ten years of experience in information security and holds both the CISSP and CISM certifications. He holds a BA in Mathematics from the College of the Holy Cross in Worcester, Mass.

He is the co-inventor of record on two patented information security effectiveness/measurement tools: Citigroup Information Security Evaluation Model (Citi-ISEM) and the Information Security Metrics Program.

XL GLOBAL SERVICES: Company overview

XL Global Services is the services support company for all of the operations of XL Capital Ltd. (NYSE:XL). XL Capital Ltd, through its operating subsidiaries, is a leading provider of insurance and reinsurance coverage and financial products and services to industrial, commercial and professional service firms, insurance companies and other enterprises on a worldwide basis. As of June 30, 2005, XL had consolidated assets of approximately $53.3 billion and consolidated shareholders' equity of approximately $8.4 billion. More information about XL is available at

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.