For the next instalment in our series of interviews asking leading technology specialists about their achievements in their field, we’ve invited the CIO/CISO of World Insurance, Liz Tluchowski to share her thoughts on the state of Cybersecurity today.
Liz is in charge of cybersecurity for both the corporate side of World Insurance, which is one of the 100 largest insurance brokerages in the U.S. and the 125 additional agencies around the country that they have acquired.
Tell us about the business you represent, what is their vision & goals?
World Insurance Associates is a top 100 U.S. insurance brokerage headquartered in Tinton Falls, NJ. The company was founded in 2011 by four original partners one of whom is our CEO, Rich Eknoian, and another our Director of Mergers and Acquisitions, Phil Nisbet.
World has completed dozens of acquisitions since 2012 and continues to do so, making us the second fastest growing insurance broker in the U.S. World has more than 140 offices across the country and specializes in several insurance solutions.
What inspires and energises you within your work?
My work encompasses an exciting mixture of two roles as CIO/CISO. From a CIO perspective, that includes providing a secure technology platform suitable to support operations and provide client satisfaction, as well as an environment built to accommodate the substantial and aggressive growth of the organization.
From a CISO perspective, this means the continuous need to understand what we are facing in terms of possible threats, disruptions, both internal and external, as well as what our growing state requirements are as we enter other geographic locations. This also requires putting systems and processes in place to protect our clients’ data and have a secure platform for our organization to provide customer service and satisfaction.
I have spent the last four years growing the IT team from three people to forty-five people (as of today) to handle the various needs of 140 offices throughout the US. My energy comes from the day to day results and having an amazing team that I have the privilege to work with every day, and for a company with outstanding leadership that supports our efforts.
Can you share a little bit about yourself and how you got into cybersecurity?
I have been in the insurance industry for 30 years, holding various IT lead roles that led to becoming CIO. As cybersecurity concerns, state laws and compliance requirements increased so did the need to appoint a CISO.
I assumed this role at my prior employer and dedicated much of my time to learning everything that I could about cyber. At that time the New York Department of Financial Services put into place a framework of cyber requirements, and since the firm I was with was licensed in NY, I put my efforts towards making certain that we had everything in place to meet those requirements.
I found myself very interested in the position and cybersecurity. When I was asked to join World Insurance back in 2017, it was in the same capacity as a CIO and CISO which I maintain to this day. As our company grows so does our need to constantly assess our security needs, processes and systems.
What advice would you give to someone wishing to start their career in cybersecurity?
Educate yourself on everything that you can in terms of laws that centre around cybersecurity program requirements, handling of data and incident reporting requirements. Understand that while there are stories every day in the news around cyber losses, it is challenging at times for people to understand the importance of cybersecurity initiatives and why things must be the way that they are in terms of system restrictions.
Be prepared to present to boards the security needs of the organization and the why’s. Be a good listener, all areas of a company have reasons why they need to transact business in the way that they do. Although you know you are doing what you can to protect the organization, the employees are also trying to do what they can to bring in and service the business. Therefore, listening is an important component to finding a place that satisfies all of the needs of the companies.
You will be challenged every day trying to do everything that you can do to protect the organization against the bad actors, therefore always be prepared to lose some sleep, it comes with the role.
What are some misconceptions that you believe businesses have about cybersecurity?
That IT (CISO’s) want to be difficult and that all you do is say no to everything. That hackers do not see every company as a target, regardless of the size and nature of the business, therefore cybersecurity is not as important as CISO’s make it out to be.
Also that Cyber is an IT function when in fact it is everyone in an organizations responsibility to do their part in being cyber smart. The misconception that companies recover in “10 minutes” from all system issues including breaches. That cyber insurance covers a loss due to systems and data compromised regardless of the security framework, or lack thereof, in place.
Do you think that cybersecurity training should be mandatory for the majority of businesses?
Absolutely mandatory for the entire business. Anyone in cyber knows that hackers hack people more often than systems. Employees need all the education you can provide them.
Training and training again is imperative as are phishing tests to understand where your weaker links may be within the company, as well as to understand where additional training may be required. Accountability should play a part once the employees have been trained and tested. Our company holds formal training sessions and we also send out weekly email reminders to employees on topics pertaining to security with tips and tricks. It is imperative to constantly remind people through various methods what to be on the lookout for.
How has the rise of insider threats impacted the cybersecurity landscape?
As we continue to grow so does our need to be more aware of the insider threat, both intentional and unintentional. Solutions may include more training, testing (since users are the first line of defence), defined security policies and procedures on what people can and cannot do, limiting access to critical systems and of course immediate offboarding when a person may be suspected as potentially disgruntled.
I also think that we are now constantly monitoring our systems and data through the use of more sophisticated tools that provide visibility, alerts and data governance. This has become the new normal.
How can an organization protect itself against this type of threat?
Monitoring tools, segregated permissions on networks, only providing access to data and systems necessary to do a person’s job, including the layers of IT support. Defined onboarding processes in terms of a person’s past employment, perhaps background checks.
Paying attention to signs that may arise and indicators that a person is not happy and has the potential to cause harm to the organization. Training staff that if they see something, say something.
__How do you find managing logs assists your day to day work? __
Visibility is a critical component to maintaining and enhancing security in our environment. Understanding where weak links in employees, processes, systems and data may exist gives us a blueprint to improve security and operations.
Having an organization with offices across the US, we are using this data daily to determine where we may need to enhance security in specific locations. The logs and metrics are also imperative for incident reporting, and documentation when required.
Are there any books, blogs, or other resources that you highly recommend?
I highly recommend reading articles, blogs, and anything else from outside groups and peers doing the same thing you are. I am always looking for new ways and materials to educate myself. I particularly found value in Hacking: The Art of Exploitation and the Harvard online course Cybersecurity: Managing Risk in the Information Age.
Would you like to share any cybersecurity forecasts or predictions of your own with our readers?
I suspect we will see stricter laws around data and framework, and system software requirements to help in the prevention of a breach (such as CMMC compliance). AI will take a role in determining potential data breaches before they take place. Cyber insurance will have stricter underwriting guidelines and requirements.