Zurich overhauls IT security strategy

Financial services firm standardises plans

Zurich Financial Services has introduced new measures to improve IT security after outsourcing much of its IT infrastructure.

The firm recently introduced an information security awareness programme for its 57,000 employees in 50 countries worldwide, and has changed the way that it responds to security threats.

The company is enforcing service level agreements (SLAs) with outsourcing partners CSC, IBM and Equant, and says that this extends to IT security.

‘We don’t have separate security SLAs, but we have major security and risk parts included in the overall contracts we have with vendors,’ said Stefan Vogt, head of IT risk at Zurich Financial Services, at the Gartner IT Security Summit last week. ‘It measures things such as outages and the number of days it takes to patch.’

The company, which had 20 chief information officers operating across the globe three years ago, has standardised IT security procedures and has introduced an IT risk management structure.

‘In 2002, there were virtually no synergies between the different IT shops around the globe,’ said Vogt. ‘But by bringing in changes and outsourcing much of the technology, we have been able to drive down cost and bring much greater collaboration between different IT and security teams.’

Zurich has also created three different IT risk teams in the organisation to ensure that the business is not affected by security breaches or downtime.

Risk strategists have been appointed to research and identify the long-term security threats that could harm the business.

‘They look into the future to see what kind of risks we could face in a couple of months or years,’ said Vogt. ‘It’s about moving away from being reactive to incidents to looking into the future and anticipating what risks will come next.’