Why IAG’s security team is learning to ‘speak developer’
- 07 May, 2018 06:30
IAG is “right in the thick” of attempting to move its traditional workloads from its data centres into the cloud — and that’s forcing its security team to “fundamentally rethink” and challenge past methods that the insurer has used to protect its data, according to Ian Cameron.
Cameron is the insurance group’s head of cyber security and governance.
“In one sense it’s actually forcing us to change our ways of working,” Cameron on Friday told the IBM Think 2018 conference in Sydney.
IAG has previously detailed some of its efforts to build an “open source culture” across the group, including rolling out OpenStack to consolidate a plethora of separate data warehouses.
Right now, a focus of Cameron’s team is building security into DevOps at the insurer. That has involved a decentralisation of the security function at IAG, and teaching developers “how to help us do security as code” and “bake security into the continuous delivery toolchain so it’s not an afterthought.”
That means the security team has had to “learn a whole new language,” Cameron told the conference.
“Us security guys traditionally are not really that great at talking to developers, so we’re having to pivot and try and experiment with new ways of engaging and teaching these guys how to be our foot solders, our security champions,” he said.
The shift has involved “letting go and letting them do some of it for us.” “That’s the only way we’re really going to be able to achieve the scale and the agility, the adaptability in a cloud environment,” Cameron said.
“We can’t really do that using the traditional operational models that we’ve tried to apply in the past.”
IAG is currently engage in a mammoth effort to consolidate its policy and claims systems as part of a five-year technology plan. The consolidation push is part of a broader simplification program within IAG that aims to cut its costs by $250 million.
In February IAG appointed PwC partner and former Accenture executive Neil Morgan to the newly created role of group executive technology.
Morgan’s appointment capped off a series of changes to the technology function at the insurer starting with the late-2016 departure of its CIO.