Insurers need cybersecurity governance

A recent survey about cyber-security found a lack of proper skills to be a major hurdle in the ongoing battle of corporations vs. cyber threats. In addition to lack of skills, areas of concern were poor organizational training, shortage of staff, and improper prioritization from the top.

These are critical findings, especially as cyber threats will only continue to increase. But, interestingly, these concerns are similar to ones faced before in the insurance industry when it’s come to both the evolution of the IT and data organizations: shortage of skills and staffing, a poor culture around technology and data, and a misunderstanding of priorities at the management level. So as insurers look to handle cyber security going forward, it will be helpful to look at how the industry has tackled IT strategy and, more recently, data strategy.

Establishing a leader and/or forming a centralized organization is a good start. All insurers have a CIO or similar technology leader in place, and many insurers have hired a CDO or data leader. For small and mid-sized insurers, the CISO (Chief Information Security Officer) role is still rare, and often it’s the CIO who performs these functions. But especially with new NY state regulations and similar ones emerging elsewhere, naming an official CISO will become more common. However, it’s not enough to put a leader in place. A CIO, a CDO, and a CISO can have responsibility for an area but they need to be empowered and they need to have a seat at the table. Likewise, building a pipeline of talent is critical, but also just a step. Insurers need to create an ongoing governance process that includes stakeholders from across the organization.

di-stock-server-1126-b
Servers stand in a computer room at the Yahoo! Inc. Lockport Data Center in Lockport, New York, U.S., on Friday, Sept. 26, 2014. Yahoo Inc., a $40 billion Web portal, is expected to release third quarter earnings on Oct. 21. Photographer: Andrew Harrer/Bloomberg

For IT, most insurers have a Project Governance that meets regularly to approve projects and determine priorities. This results in alignment across the business as to where technology will be focused and means that all IT initiatives are part of the overall business objectives. A CIO can’t effectively make these kinds of prioritization decisions on his or her own, and as many insurers have learned (though some are still learning), there is no distinction between IT and the business. Project governance is key to making that a reality.

For data, a similar evolution is currently taking place. Many insurers have a Data Governance process, with a similar set of stakeholders. Data governance groups make decisions around the flow of data through the organization, they agree upon data dictionaries and definitions, and they review any changes to key systems that will impact the kind of data being collected and reported on. More and more insurers are hiring a Chief Data Officer or VP of Data, but without pairing the leadership with data governance there’s no way to seek the cultural shift towards a data-driven organization.

And for security, a similar reckoning is necessary. A Cyber-Security Governance group with multiple stakeholders will help the organization understand security initiatives and align them with the business. It will allow training and education from the top-down at the organization. It will allow leadership to make informed decisions about risk tolerance rather than letting budget limitations decide for them. And it will allow a CISO to have real authority behind him or her when pushing for necessary changes across the organization.

Unlike project governance and data governance, however, cyber-security initiatives are risk-based rather than project/initiative-based. Security risks are assessed leveraging the NIST standards, and the CISO ranks them by impact to the organization, likelihood of occurrence, and frequency of occurrence. A cyber-security governance group with various business stakeholders can’t be making priority decisions the same way they do for IT and data projects. The point of cyber-security governance will be to educate and explain, and to provide a forum for the CISO to set priorities with the backing of the CEO.

Though IT, then data, and now cyber security have different drivers and stakes, we see the same kind of evolutions again and again in the insurance industry. Insurers can move more quickly by following a proven path to success.

This blog entry has been reprinted with permission from Novarica.

For reprint and licensing requests for this article, click here.
Cyber security
MORE FROM DIGITAL INSURANCE