IAG is undergoing an organisation-wide restructure and consolidation of its security functions, bringing cyber and physical security as well as other areas like internal fraud under a new central banner.

The combined security operation is called 'cyber and protective services' or CPS, and is being led by Jeff Jacobs, who joined IAG as its CISO in 2015.

The restructure appears to have started as early as April this year and has so far brought together cyber security, physical security, operational resilience, crisis management and internal fraud under CPS.

The new CPS division sits within IAG’s group risk business unit, the latter of which is led by group chief risk officer David Watts.

“IAG has been on a journey to bring together security like functions for some time now, including physical and cyber security, along with its internal fraud, crisis management and resilience functions,” Jacobs told iTnews.

“We started by merging cyber and protective security and have now added these new functions.

“The objective of this strategy is to reduce duplication, better share data and insights and lift our overall capability to detect, respond to and recover from security and fraud incidents.”

IAG is codenaming the restructure and consolidation as a 'fusion' of its security operations.

It has identified a series of "key focus areas" that are arranged into work programs spanning the next two years, covering the full gamut of security functions.

"One of the key areas from a cyber perspective will be the implementation of our Zero Trust strategy and roadmap, which is key to us further enhancing our security and enabling our hybrid workforce model," an IAG spokesperson said.

"Other focus areas include the continuation of our privileged access and authentication work, our compliance and risk program and continuous improvement of our cyber defence technologies and services.

"From a 'fusion' perspective, we will be looking for opportunities to bring the various related functions closer and use advanced analytics to better protect IAG from cyber and physical security threats and internal fraud."

Standing up CSAC

Within the CPS team will sit a newly-created function called cyber strategy, architecture and consulting (CSAC).

Led by Natasha Passley, CSAC will ultimately "be made up of a core team of security domain architects, internal consultants and strategists, and may be augmented with additional roles as services are further defined or the need arises," an IAG spokesperson said.

It is still a new function, however, and the team is still being assembled.

"The goal of the CSAC team is to bring security closer to all areas of the business through a team of forward thinking and innovative security experts who partner with all areas of IAG to provide strategic direction," the spokesperson said.

"The team sets the security target state, researching new and alternative security approaches, and identifying opportunities for process and technology improvements to increase efficiency and enhance our business operations."