Heightened attention on information security is a major theme this year in insurance:
It is in that environment that Deloitte has begun convening CISO Transition Labs, one-day courses designed to help information security leaders meet the challenges of cyber risk.
“The goal is to help an individual who is in a CISO role, in a one on one session, prioritize key activities, looking at their team , their technological competencies, and stakeholder relationships they need to develop,” says Rick Siebenaler, Deloitte principal. “We’ve developed a whole program of training and courses for professionals.”
An early lab participant is Aflac chief information security officer Tim Callahan. A veteran of the Air Force, Callahan has been protecting digital assets in the military and in financial services throughout his career, which included a stint at SunTrust Bank in addition to Aflac. He says that insurance especially for companies in lines of business like Aflac’s, that deal with health information are increasingly targeted by hackers.
“Over the last couple years the threat has shifted, where insurance used to be mid-level, now it’s being targeted at a high level,” Callahan says. “We’re watching that as a present threat but also an emerging threat, as the criminals get more sophisticated.”
Aflac’s relationship with Deloitte began when the insurer contracted the consultancy to do an internal audit of its information security protocol. Satisfied with those results, when Deloitte floated the prospect of the lab, Callahan decided the outside perspective would be valuable.
“I was very much surprised about the experience and how effective it is in mapping out where we wanted to take the program,” Callahan says. “They walk you through how to think about things, help to document some of the things you want to be effective at early on. When you leave, you have a fairly formalized document that you can start putting together and have a high-level path in process.”
Overall, Siebenaler says, insurance companies have shown a level of interest in the CISO labs on par with their peers in other industries. Insurers tend to match up with two particular CISO profiles, he explains: Technologists, who assess and implement security technologies and standards to build organizational capabilities; or Guardians, who protect business assets by understanding the threat landscape and managing the effectiveness of the cyber risk program.
“The common struggle is that they are often not connected to the business or have a full appreciation for the business, and certainly not well positioned as being a change agent more of a necessary evil,” he continues. “The lab is designed to help them shift that dynamic and become more strategically aligned with the business.”
But even before the lab, information security was a high-level topic for Aflac officers, Callahan says. Though Deloitte’s program helps CISOs identify and work with the key stakeholders across the business to help encourage vigilance across the insurance enterprise, Callahan says he’s already presented “20 to 30 minutes” on cyber security in an officer’s meeting.
“Rather than make it an academic security program, we understand the risk specific to Aflac and the insurance industry. It’s making it about enabling the business and our company to be successful,” he explains. “It’s emphasized at every echelon of leadership in the company.”
