The head of IT explains how the largest German insurer implements and checks compliance requirements worldwide. […]
“The management, IT management and especially the cybersecurity of many companies have a blind spot,” says Ralf Schneider, CIO of Allianz SE. Those responsible do not see that they follow a hierarchical paradigm that can no longer keep up with digitization.
Rigid structures are too slow to operate cybersecurity effectively. The speed boost that digitization is bringing to all areas of the company also increases the risk that digital assets will be attacked, manipulated or destroyed faster.
At the Handelsblatt Annual Conference “Strategic IT Management”, Schneider reported on the governance measures of the alliance. The insurer has 150,000 employees worldwide, several 100,000 business partners, millions of customers, 50,000 servers, 200,000 workstations, six data centers and various cloud instances. In addition, there would be applications, operating systems, firmware, APIs, serverless functions, machine-to-machine connections and much more. All this must be protected.
With so many parts, IT managers could intervene quickly if something goes wrong. However, it is no longer possible to predict system behavior in a centralized manner. Schneider therefore relies on self-organization, regulation and control – summarized in the term “cybernetics”. The framework for this is the “cybernetic governance” of the insurer.
The Allianz CIO relies on a triad of policy, management and people:
Which Policy is the common language in the group. It does not define rules, but principles on how IT and security should be implemented throughout the Group. These principles have been translated into so-called controls. These are based on the regulatory requirements and describe how IT should be securely set up, operated and further developed. This is the basis for architecture and risk management.
All 60 department boards worldwide and their employees must adhere to this document. You are responsible for implementing the controls and measuring their effectiveness. The governance department uses compliance reports to check whether this is happening.
Subsequently, Schneider has a Control model established itself. It describes how CIOs and security managers should act to take effective security measures and repel attacks. “The increasing complexity of the IT landscape can no longer be mapped in a one-to-one model. That’s why we use this model,“ says Schneider.
This works via an IT security dashboard. It lists ten “health indicators”, which are checked in real time for each country company. It states, for example, how many “toxic components” that are outdated and can no longer be patched are operated. Based on this, the responsible persons take appropriate protective measures.
The third governance factor for Schneider is the Human. For example, employees work out how the control model can best be implemented and adapt the measures. The control and management of the measures are largely automated.
For this, the workforce must, on the one hand, know and master the necessary tools. On the other hand, it is important that the cooperation with colleagues such as risk analysts works out. To this end, the CIO relies on training courses and trainings.
In order to introduce the governance model, Schneider relied on the “syntegration” approach of management consultant Fredmund Malik. Accordingly, the necessary knowledge about key persons is carried and disseminated in the individual areas.
Each member of the Management Board must sign an IT compliance report to ensure that the approximately 150 compliance controls in the respective area are complied with. In addition, it is automatically checked whether these control mechanisms from the compliance statement are actually effectively implemented.
*Jens Dose is editor of the CIO magazine. In addition to the core topics around CIOs and their projects, he also deals with the role of the CISO and its area of responsibility.