Information technology, cyber threats and security postures constantly are evolving in a high-stakes race. As CNA, a multi-line business and personal insurance agency, began shifting to more managed services in 2010, the company’s security posture also had to change to ensure the company was doing the utmost to protect systems and data.
Robert Allen, CNA’s chief information security officer, arrived just as the insurer began the shift. And, in early 2013, he added infrastructure services to his list of responsibilities. Allen describes the change in philosophy as becoming more pragmatic and less compliance oriented.
“We were very compliance oriented before I came on board,” Allen says. “And with Tom Motamed, our new CEO, coming over from Chubb, we wanted to drive a lot of improvements in terms of revenue and acceptance of risk and really change our risk posture. It was an opportunity to change our risk approach with security as well.” As a result, Allen says he was challenged to collaborate and advise business partners, including the company’s own technology underwriting arm and cyber insurance team, resulting in a substantially improved security program.
“Those are natural partners that we weren’t regularly collaborating with,” Allen says. “We wanted to go through the cyber insurance process. We felt it would be a good way to build some relationships with the personnel on the business side, but also to evaluate our security program against some of the other larger players in the industry that go through this process. It was quite exhaustive.”
To assess the company’s cyber risk, CNA used NetDiligence, which offers cyber risk management services. While unwilling to detail the assessment in detail, Allen says CNA emerged from the process rated very highly.
“I was interviewed for about four hours across different panels of about 12 different underwriters, who picked apart our program and required evidence and answers to a number of questions to detail where we stood, domain by domain,” Allen says. “It was just another data point that suggests we’ve got a credible program; and it’s something we’re actually very proud of. People can fool themselves that, from a compliance and audit standpoint, they have a sound program. But I would attest that further digging, regular testing, preparedness, table-top exercises, and finding new ways to look at your program, are rather valuable.”
As a result of the exercise, Allen’s team now is more actively sharing ideas, resources and information with CNA’s NetProtect team, which is responsible for the insurer’s cyber insurance offering, and the CNA risk control team. It also is in regular contact with external partners, who in many cases are competitors.
The IT security community is relatively small, Allen says, and insurers have historically been at a disadvantage to tech companies when it comes to talent. “To find quality candidates, who have business experience, who can relate and understand work flows, business process and understand where you have risks and exposure from a data perspective? That’s tough to find,” Allen says. “And that’s the type of talent that we’re all fighting for.”
To make up for the shortfall, CNA and other insurers are banding together through peer-sharing forums, such as those sponsored by Gartner, he says, to discuss evolving best practices.
“We meet on a quarterly basis, face-to-face,” Allen says. “We have set agendas where we’ll rotate presentations on data-leak prevention strategies or things we’re doing around forensics or electronic discovery. It’s really almost teaching each other what’s working, what isn’t working, and learning from each other. There are NDAs [non-disclosure agreements] in place, and there’s a trust amongst the companies involved; this is all confidential and we’re not sharing this beyond the companies that are part of the group.”
This is especially important, Allen says, because talent, more so than tools, is what frequently determines the effectiveness of security measures. “A lot of us are running the same tools and technologies,” but the results can vary, he says, based on talent and corporate culture.
“Security is evolving as a discipline,” Allen says. “Folks really sold the fear.” Now, he says, the goal is to provide simple, clear, concise security solutions, such as data encryption, forensics and awareness training, he says. “Folks will find ways to go around it if it’s not intuitive. You need to be that much more thoughtful about the design and what you’re offering to employees and making sure they understand why they’re accountable. They’re part of the solution.”
That end user buy in is critical, he says, and is dependent on the tools being well-designed and intuitive. “It’s very easy to insert solutions that maybe don’t have that same look and feel or are not intuitive,” he says, which can lead to “check the box mentality. That’s what I mean about the compliance and audit aspect of security. It’s ensuring that folks understand our reputation is at risk based on your accountability as a data steward, a data owner and protecting our assets. And especially for an insurance company, that’s our critical intellectual property.”
