2014 Risk All Star: Thomas Dunbar

Protecting His Company

Few, if any, risk managers actually want to simulate a distributed denial of service or persistent attack on their computer systems, but Thomas Dunbar at XL Group plc in Stamford, Conn., wanted to see how his internal staff and outside vendors would react.

After all, the cyber risk insurer has to set an example of online security best practices.

Thomas Dunbar, chief information risk  management, XL Group

Thomas Dunbar, chief information risk officer, XL Group

Dunbar, XL’s chief information risk officer, contracted with Secure Network Technologies in Syracuse, N.Y., to conduct a DDoS attack against the firm’s externally facing websites, unbeknownst to XL’s internal security team and service provider.

Dunbar also had Secure simulate an advanced persistent attack, in which it entered and quietly remained within XL’s systems to conduct a “reconnaissance” on any vulnerabilities that could be exploited to gain access to customer information or proprietary data.

“It’s good to run these tests for a longer period of time, because infrastructure might change when we deploy a new business application or launch a new line of business,” Dunbar said. “We can see how our network and colleagues react to the changes and determine the prolonged strength of the program.”

Secure’s Chief Executive Officer Steve Stasiukonis said that Dunbar doesn’t just want to protect the company, he also wants to understand “the enemy to the Nth degree.”

“In all of the years that I’ve worked with companies, nobody ever really wants to simulate a DDoS attack to understand their weaknesses, but him,” Stasiukonis said. “Tom is a pioneer — he wants to see how his people will really react.”

Dunbar leads a six-person cyber risk team that works with XL’s business units and information technology department to identify and remediate cyber risks.

To combat identified threats and vulnerabilities, they have built a strong technological structure that monitors, prevents, detects and responds to security events.

They have deployed an advanced data loss protection infrastructure to ensure that XL’s data — particularly confidential customer information — are contained within the XL network.

“These tools have really resonated with our colleagues and have clearly raised the level of XL’s cyber security awareness and preparedness.” — Jacob D. Rosengarten, executive vice president and chief enterprise risk officer, XL Group

Overall, Dunbar has taken “a very holistic approach” toward minimizing cyber attacks, said Jacob D. Rosengarten, XL’s executive vice president and chief enterprise risk officer.

For example, Dunbar and his team have taken a leadership role in educating XL’s employees about cyber security “by harnessing innovative and creative communications media that capture the imagination” — whether through posters in lunchrooms, short webinars or contests that test password security, Rosengarten said.

“These tools have really resonated with our colleagues and have clearly raised the level of XL’s cyber security awareness and preparedness,” he said.

Dunbar said his team focuses on education to drive behavioral change, as employees are often “the weakest link.”

“We encourage people to use the ‘see something, say something’ philosophy,” Dunbar said. “We want them to speak up if they see something strange in their email inbox, or if they see something unusual going on in the system, and to also give feedback to make security stronger.”

“We want to make our colleagues one of the strongest links,” Dunbar said.


350px_allstarRisk All Stars stand out from their peers by overcoming challenges through exceptional problem solving, creativity, perseverance and/or passion.

See the complete list of 2014 Risk All Stars.

More from Risk & Insurance