Computer Security: At UnumProvident, It’s Comprehensive and Cost-Effective

Not much fazes Lynda Fleury, UnumProvident Corp.’s chief information security officer. One of the few exceptions: software vendors that she feels could offer better, more comprehensive security packages.

The Chattanooga, Tenn.-based insurance company, which earned revenue of $10.4 billion in 2005, is looking to consolidate the number of vendors that can offer enterprisewide protection for the desktop and laptop computers used by Unum’s 12,000 employees. Unum’s security vendor roster now stands at between 10 and 15 companies, according to Fleury.

Fewer vendors means a less complex environment and lower risk of product-vendor incompatibility, she says. The insurer’s biggest need, she adds, is vendors that can offer more and better security features, at a lower total cost.

This goal is particularly important in light of Unum’s rising technology security budget, which is up to $3.6 million for 2006, compared with $2.5 million in 2005.

“The growing threat of spyware, phishing and threat of information theft resulting from malicious Trojans, in addition to the ongoing threat of viruses, was the primary reason for wanting a more comprehensive solution from our vendors,” Fleury says. “Most of these packages, if purchased separately, require agents [executable bits of code] on computers and servers. Each agent needs to be certified and tested, which is a significant process, and server agents take up server CPU resources that may reduce capacity needed for business applications running on that server.”

Fleury and her team meet on a regular basis with Unum’s vendors to discuss future enhancements and provide constructive feedback on what the company likes, doesn’t like and would like to see changed, including consolidation, she says.

For example, Unum previously used two software products to combat spyware and other threats such as Trojans and adware. They were CA’s Pest Patrol and a product called Ad-Aware from Swedish vendor Lavasoft, according to Fleury and Chris Bursch, Unum’s vice president of information-technology risk management, and Fleury’s boss. However, when Symantec released AntiVirus Version 10 last year, UnumProvident rolled out Version 10 companywide. The company dropped Pest Patrol but will still keep Ad-Aware for another 12 months, according to Fleury. Version 10’s ability to reduce or eliminate spyware led to its adoption, Bursch says.

There were a couple of hiccups with the Symantec implementation, Fleury says. One involved pop-up windows that appeared when users were accessing their Microsoft Outlook e-mail client. The pop-ups were stopped by disabling a mechanism that scanned for SMTP-type traffic.

Another challenge for the implementation involved the certification and testing of some 12,000 computers, which Bursch categorizes as “normal.”

Overall, Fleury says, Symantec Version 10 has been stable and effective in combating spyware and other malware. More important, using the single Symantec product instead of the two original programs will save the company 18% to 20% per year over the CA/Ad-Aware system due to lower license fees and other factors, she says.

Unum’s security software consolidation reflects a trend across all industries, according to John Pescatore, vice president at research firm Gartner. “We see the desktop security market finally evolving,” Pescatore says. “Now, with one security engine, companies can protect the desktop from lots of threats.”

According to Fleury, Unum’s drive for a more comprehensive malware package ties in with its five-layer “defense in depth” security approach:

  • Network-based protection (intrusion detection and prevention, firewalls, antivirus gateways, Web filtering)
  • Server/workstation-based protection (host-based intrusion detection, spyware/malware, personal firewalls)
  • Elimination of security vulnerabilities (patch management, vulnerability scans, configuration compliance)
  • Support for authorized users (identity and access management, file encryption, VPNs, secure remote access, strong authentication)

  • Technologies to minimize business losses and maximize effectiveness (secure information management, fraud detection, forensic tools, regulatory compliance)

    Fleury is currently looking at tools from Vontu, Veradsys and Vericept to address data privacy, policy compliance and Web filtering issues. Her goal in these areas, as with Symantec, is to make security management even more comprehensive and automated—as she puts it, “agentless.”

    UNUMPROVIDENT AT A GLANCE

  • Headquarters: 1 Fountain Square, Chattanooga, TN 37402
  • Phone: (423) 294-1011
  • Web Site: www.unumprovident.com
  • Business: Provides disability, life and supplemental insurance to companies and individuals.
  • Chief information security officer: Lynda Fleury
  • Financials in 2005: revenue of $10.4 billion; net profit of $513 million.