The Big Dogs of Cyber
David Hudson remembers when cyber security was an observational practice—waiting and watching for a rare security breach to occur and then reacting accordingly.
But these days, Hudson says, when a ransomware event can bring a business to its knees, companies must anticipate what can occur.
Information technology leaders are having trouble filling information security and other tech positions.
Brokerage CISOs are getting involved early in every new technology introduced by the IT department.
Every merger and acquisition represents a cyber risk in the making, with every step of a transaction at risk of an attack.
“We don’t need people watching the pot boil,” says Hudson, chief information security officer (CISO) at AssuredPartners. “We need them solving cyber-security problems, making sure we’re doing everything we can to protect our customers’ data.”
These problem-solvers comprise today’s information security (infosec) teams at AssuredPartners and other large insurance brokerages. While they have earned the usual network security certifications like SOC 2, ISO 27001 and CISSP, they also must have critical thinking skills, enabling them to plan for and solve complex risks. “They need to understand the business in relationship to the strategic implications of the threat landscape and be able to communicate these issues to others so they understand them, too,” Hudson says.
The challenge is recruiting this rarefied talent at a time of historic shortage in these in-demand skill sets. Nearly three quarters of CISOs, chief technology officers and other IT leaders surveyed by the Institute of Electrical and Electronics Engineers in November 2021 cited difficulties filling open infosec and other tech positions. In December 2021, a U.S. Commerce Department job-tracking database tallied nearly 600,000 open cyber-security jobs. The most recent (ISC)² Cybersecurity Workforce Study affirms this steep uphill climb, citing a skills shortage of almost three million infosec professionals worldwide. Many large insurance brokerages are confronting precisely these personnel shortages.
Given the data-intensive nature of the insurance industry, brokerages have long recruited software coders, data engineers, enterprise architects, app developers and specialists in the use of AI tools such as machine-learning algorithms. Cyber-security professionals with soft skills like critical thinking, however, are the toughest find. “These thinking skills are crucial to objectively analyze rapidly changing threat vectors and threat actors to implement optimal solutions,” says Robert Allen, chief information security officer at Gallagher.
Digitization’s Double-Edged Sword
The insurance industry has been a target of hackers ever since insurers and brokerages digitized their data, potentially exposing policyholders’ personal identifiable information. In the hands of the so-called threat actors, this data can be used to perpetrate fraud and other malicious crimes.
Lately, the threat actors are eyeing data on a specific set of policyholders—businesses that have purchased cyber insurance policies that will pick up the cost of a ransomware attack. Cyber crime gangs believe the insureds are more likely to pay a ransom since the insurer is paying for it.
According to the 2022 Insurance Industry Cyber Threat Landscape Report published by IntSights, by compromising the network of an insurer or a brokerage, threat actors can identify and obtain the cyber-security standards of these insureds. “The details of cyber insurance policies, particularly the maximum ransom amount…are very useful to ransomware operators,” the report states.
Threat actors leverage these details to calculate an optimal ransom amount—“high enough to maximize profit but low enough for victims to accept,” the report states. “Knowledge of the security standards helps attackers craft their techniques to evade victims’ security measures.”
Brokerage CISOs are responding to rapid digitization by getting involved as early as possible in every new technology introduced by the IT department. Before a team of software designers and engineers designs and develops a business app, for example, it is incumbent on the infosec team to be at the initial meeting to apprehend the app’s purpose, how it will work, and who will use it.
Lockton is actively looking to recruit a global chief information security officer. The more global the CISO, the better, says Byron Clymer, Lockton’s chief information officer. “Our geographic reach has expanded dramatically outside of the U.S. the last three or four years, introducing a new set of problems for us,” Clymer explains.
These problems largely have to do with the cyber-security compliance regimes in new international markets such as South Africa, Australia and Hong Kong, among others. Clymer is hoping to find a CISO with all the traditional cyber-security certifications and global operating experiences.
“While there are international data protection regulations like GDPR [General Data Protection Regulation], most every country has nuances,” he says. “There’s no one-size-fits-all regulatory consistency. We need a CISO with critical thinking skills who understands these differences. These competencies are the costs of entry.”
Job candidates must come to the recruitment table with knowledge of the business climate, culture and cyber risk landscape in each of Lockton’s geographic markets and their respective data privacy and protection rules and regulations.
“They need to be able to demonstrate they know how one country differs from another country in terms of risks and regulations,” Clymer says. “The person needs to understand how we do business in each of these areas—that’s very important, too. As my position becomes more strategic and business focused, our cyber-risk practice must follow suit. We’re only as strong as the weakest link.”
Once hired, Lockton’s first global CISO will need to hit the ground running. “Once we bring the individual in, we want them to use their expertise in gradually building out a more efficient information-security infrastructure,” Clymer says. “First, we want the person spending time to better understand our business, then come back with a strategy and operating model for each of our geographies.”
It’s a big ask, especially at a time when companies across industry sectors also seek CISOs with a broad set of skills. Add one more skill to the set. “My philosophy is that the CISO has to have scars,” Clymer says. “We’re looking for someone who made a couple decisions that failed but learned from the ramifications. That’s key to this role, as the cyber threat landscape is always shifting.”
Allen says his team works closely with the firm’s technology development teams across all business units. “As part of our global application security program, we leverage tools like static and dynamic security application testing and software component analysis,” he says. “Our intent is to ensure we have the practices in place from the start to code securely, followed by a number of test and validation scenarios that confirm the quality of the software release.”
Hub International pursues a similar practice. “Mitigating cyber risk during our significant digital transformation has required that we shift toward a DevSecOps model, which is tailored to the needs of each transformational initiative,” says CISO Jeremy Embalabala. DevSecOps—development, security and operations—involves a platform and culture in which cyber security is integrated as a shared responsibility throughout the entire technology design and development life cycle.
M&A Fuels Cyber Risk
Digitization isn’t the only changing piece of the landscape for brokers. Mergers and acquisitions continue at a record-breaking pace, and it’s expected that many brokerages will continue to grow their national and international market footprints through expanded M&A activities. That’s a cyber risk in the making, since every step of an M&A transaction, from initial due diligence through the post-merger integration, is at risk of a cyber attack.
“The prior strategy here was to acquire, assimilate, risk and repeat,” Hudson says. “The sheer number of acquisitions, somewhere in the 40s and 50s each year, meant we were receiving security risks at an increasingly alarming rate. From a regulatory compliance standpoint, we did what was needed—everything was above board—but we need to do more and are doing it.”
Hub is another firm that has scaled quickly and recognized the need for its cyber security to keep pace with its growth. In 2017, Hub hired Embalabala as its director of security architecture and engineering to help design and develop a new information-security architecture.
“Hub had some security controls at the time but was not at the level of cyber-risk management the organization wanted,” Embalabala says. “Back then and through the present time as well, the firm was involved in an extraordinary number of acquisitions.” Hub was among the top buyers in terms of announced U.S. deals in 2020 and 2021.
Given the potential for a damaging cyber incident, the fast-growing brokerage committed ample resources to the future CISO. “Our road map was to build out the security program in a year and a half, shifting the team from reactive security to a proactive, full stack, end-to-end infrastructure,” Embalabala says. Full stack refers to the entire array of software products and technologies, such as the operating system and database software.
“The focus now is on maturity—how to improve our operational capabilities,” Embalabala says. “As we continue tweaking our processes to become more efficient and scalable, the infosec team’s remit is to help our business grow in a safe manner. That’s a far cry from the days when teams chased down alerts in an IT system.”
Allen recalls that, when he joined Gallagher in 2020, it was specifically for the opportunity to enhance the firm’s cyber security at a time of significant growth. “Our entrepreneurial nature had resulted in an extraordinary number of agency acquisitions, a condition that continues to accelerate,” Allen says. Gallagher was in the top 20 acquirers in terms of announced U.S. deals in 2020. “Each acquisition typically had its own cyber-security infrastructure and infosec team,” Allen says. “My remit was to align all these security folks and our individual business units around the world from a people, process and technology standpoint.”
Since taking on the CISO role, Allen has created a centralized Global Security Office that oversees the brokerage’s cyber-security programs and practices at nearly 900 offices worldwide. He also created a new infosec infrastructure, with a cyber-risk reporting hierarchy based on the cyber-security frameworks of the National Institute of Standards and Technology and the International Organization for Standardization (ISO).
As part of this new infrastructure, seven business information security officers (BISOs) have been stationed across Gallagher’s operations in Europe, the Middle East, Africa, Asia-Pacific and the Americas, each required to report to the Global Security Office on changes in the region’s information risk profile.
Altogether, more than 100 people internally are involved in the firm’s cyber-security programs and practices, in addition to the many cyber-security specialists employed at third-party managed security service providers. The MSSPs provide a range of services, including firewall management, anti-virus services, intrusion detection, threat intelligence gathering, and network penetration testing. The internal and external experts effectively share Gallagher’s information security responsibilities.
“By analyzing our information risks, we can determine a consistent and cost-effective approach to security measures,” Allen says. “We don’t want each BISO buying individual technology solutions when a strategic MSSP partner may already provide it or we may determine that a broader technology implementation could serve [the need].”
Like other chief information security officers, Allen plans to expand his information security team. “We’re on a multiyear road map to add skilled infosec professionals during a war for this talent,” he says. “We’re being very thoughtful in terms of developing the present teams to strategically position us for what everyone sees as an escalating threat.”
Building an Enterprise Approach
To thwart these malicious aims, Joe Martinez, chief information security officer at Aon, has battened down the hatches with a world-class infosec infrastructure manned by an army of internal and external cyber-security professionals. “We’ve tripled the size of our internal infosec practice since I came on board,” says Martinez, who became CISO in October 2015.
At the time, Aon was transitioning from a holding company structure into an operating company composed of hundreds of offices across the world. “The previous CISO was focused on business security, but I was the first real CISO, as we think of the job today,” Martinez says. “We had a lot of fragmented technology solutions, making cyber security less holistic and consistent.”
His assignment was to consolidate Aon’s cyber prevention, detection, response and recovery on a globalized basis and improve the network security architecture and controls, reducing the chance that a threat would exploit a network or system vulnerability. “It’s never a question of if a company will be attacked, but when,” he says.
While the infosec team initially focused on incident detection, they “moved hard,” Martinez says, “into the fundamentals of incident prevention, stopping the bad things from happening by having the controls working the way we needed them to work. We needed to see all the things we could see and to stop all the things we could stop. Our clients demand it.”
Two years ago, Martinez initiated a new cyber-security infrastructure, in which different functions, divisions and business units are aligned in an “all-company response” to cyber security, he says. “We put together a Cyber Incident Governance Committee comprised of all the risk leaders across the firm, such as the operating officers and the heads of functions like audit, legal and investor relations. I’m the chair of the group, and my team is the leadership arm.”
The enterprise approach ensures cyber-risk accountability and the sharing of best practices across Aon’s mammoth global footprint and abundance of intermediary services, such as insurance, reinsurance, health solutions and wealth management.
Boards on Board
Several brokerage CISOs say that board oversight of information security has increased. Allen says he meets with Gallagher’s board of directors and various standing committees at least quarterly. “The executive team and our board have been very supportive,” he says. “That’s vital for CISOs today.”
Embalabala cites an increase in Hub’s engagement with the audit committee of the board of directors. “We’ve moved from an annual report to the committee to a quarterly discussion on cyber, focused on risk management,” he says.
AssuredPartners’ board also expects Hudson and the firm’s chief information officer to be “integral contributors” to the content the directors review on cyber security, he says. “The challenge with a CISO’s responsibility to the board is expressing technology security issues as salient business risks,” he adds. “In the short time we have their attention, we need to explain our [cyber readiness] state and our road map for improvement and mitigation [without] overamplifying the concern.”
The Talent Dearth
The job of a chief information security officer, especially one with a fast-growing insurance brokerage, is not for the faint of heart. The pace of the firms’ digital transformations regarding client needs and expectations, for instance, has made managing information-security risks a nail-biting exercise.
Other thorny issues confronting CISOs include their firm’s ongoing acquisition appetites, the more concerning threat landscape, and the supply/demand imbalance in infosec skill sets. After a couple years of “re-platforming” Aon’s IT architecture with a range of leading network and system security solutions, Martinez acknowledges he needs more people internally with strategic competence. “Our skill sets need to expand to become more risk-focused, compliance-focused and governance-focused,” he says. “Adding these skills at a crazy time in the industry is not easy, since every broker is competing for the same talented people and trying to hold on to the ones they have.”
While recruitment has been an uphill battle, Martinez says he has managed to keep his cyber-security team’s attrition rate small—“testifying to the importance of the work we’re doing, contributing to something that is bigger than all of us,” he says. “To make up the shortfall, we’ve spent the better part of the past two years upskilling and reskilling the team. Nevertheless, we still need additional information-security professionals across all disciplines, as we’re in the midst of expanding our cyber-solution practice.”
Embalabala confronts a similar need. “We’re looking for additional information-security professionals with experience in cloud engineering and data analytics to help architect more sophisticated processes and controls,” he says. “Since cyber security is the fastest-growing job in technology, I’ve had to rely pretty heavily on individuals I’ve worked with in the past in other industry sectors to help me identify people interested in furthering their careers in the insurance business. I’ve got six open positions at the moment.”
Filling the ranks will take time. Most colleges and universities have just begun to include cyber security in their technology curriculums, meaning that CISOs in all industry sectors will not be positioned to solve their infosec recruitment needs any time soon.
Yesteryear’s in-house infosec team member was part technologist, part investigator. Today, nearly all companies turn to managed security service providers (MSSPs) to provide 24/7 threat detection, rapid incident response, compliance management and ongoing cyber monitoring.
By leveraging an array of advanced solutions customized to their clients’ needs, MSSPs offer a high level of cyber security. Such partnering organizations are repositories of the latest threat intelligence, giving brokerages a head start to fortify their networks and systems.
“We use MSSPs to manage a large portion of our operational capabilities, such as the SOC [security operations center],” says Jeremy Embalabala, the chief information security officer at Hub International. “For example, our partnership with Deepwatch [formerly GuidePoint Security] gives us 24/7 ‘eyes on the glass’ threat monitoring. The alternative would be hiring seven or eight additional technical security analysts in-house, which is challenging in the current recruitment environment.”
In addition to outsourcing the security operations center, Hub uses managed security service providers to oversee general event log management, initial incident response, and penetration testing. “We don’t have the capabilities internally to take on something as crucial and sophisticated as penetration testing,” Embalabala says. “It’s not a core competency at this time, so we push that out to the third-party partner.”
Like many other insurance brokerages, Gallagher also outsources penetration testing to a third-party vendor, in this case Mandiant. “They do red/blue team ‘purple’ testing,” he says, a type of ethical hacking involving two opposing teams of cyber players, one playing defense (the red) and the other offense (blue). The goal is to maximize the effectiveness of the cyber-security strategy by integrating the threats and vulnerabilities discovered by the red team with the defense tactics and controls of the blue team.
Although Aon relies on an outside partnership for high-level penetration testing, Martinez says the brokerage “benefits enormously” from services provided by Stroz Friedberg, a global cyber security firm that Aon acquired in 2016. The renamed Aon Cyber Solutions offers its services to Aon clients and the brokerage itself.
“They’re among the world’s leading experts in digital forensics, incident response and cyber-security science and have been engaged in many of the world’s biggest data breaches,” he says. “Since I’m responsible for all security here, the risk policies, controls and technology, as well as all the platforms, that makes me the most fortunate CISO on the planet.”
Insurance brokerages often partner with several MSSPs, each with a particular core competency. Gallagher recently transitioned to a new MSSP general partner to evaluate the strategic fit of its other third-party partners. “They’re a more mature, larger-scale vendor that can provide us with 24/7 global monitoring support,” Allen says of the firm, ReliaQuest. “Following the sun, so to speak, and reporting on it daily to the team.”