Claude, QBE has a large global footprint, I’m curious where do you have the most geographical concerns?
The cyber threats that QBE and its customers face aren’t constrained by geographical boundaries, so unfortunately I can’t be too focused on threats from a single geographic area – even if it would make my life simpler.
My priorities are therefore based more on the value of the data that QBE holds in our different geographies and how well the data is protected. Geographic differences do come into this equation due to differing regulatory environments, business models and also differences in the security awareness and general tech savvy of our customers and employees in different geographies.
I’m hearing more about Internet of Things and in particular Smart devices. This starts to move the needle for Insurers where risks are more dynamic and indeed perhaps in real time. How do you see your role transforming in 5 -7 years time when these technologies are starting to be in the market?
I think we have already seen the evolution of the CISO role from solely protecting technology to being more about managing information and cyber risk, and unfortunately more about managing the impact of breaches.
In my view, the Internet of Things and Smart devices are likely to accelerate this evolution as a result of the huge increase in data gathered by these devices, all accessible from the internet. This has huge potential for both managing (and insuring) risk and creating risk; and CISO’s will need to be able to guide their businesses on building security and privacy into these devices by design while enabling the business to harness the value of being able to measure just about everything.
These issues and opportunities may emerge quicker than the 5-7 year timeframe that you infer. Let’s not forget that Insurers are already using devices to sample driving styles and measure the use of cars by customers, thereby enabling a more accurate quote based on their actual driving.
On a scale 1-5, do you expect that your investment on Cyber & Information Security will be increased over the next 3-5 years[CM2] ? What’s going to drive that?
The simple answer is that yes - QBE will continue to invest in Cyber and Information Security, which I expect is true for most organisations.
I think it is important to stress that as an insurer, this includes investments to improve our own internal capabilities, the development of cyber insurance products to support our customers, and possibly investments in security companies where the investment returns make sense. The launch of the National Science and Innovation Agenda by the Prime Minster will hopefully increase the attractiveness of Australian Cyber & Information Security startups and companies to the investment parts of our business with the obvious consideration of risk and return.
At QBE, what percentage of your records are truly digitised and how much are scanned documents? [CM3] Do you apply the same security framework to both media?
QBE treats information, especially that of our customers regardless of its form, as one of our most important assets with security measures applied according to its sensitivity and classification. We are increasingly digitizing our processes to ensure we can offer optimized and streamlined processes to our customers.
How involved are you and your team with new digital developments? I’ve heard a CISO in another Insurance enterprise explain that they have a member in every agile standup for new systems?
Our involvement is crucial in ensuring that security is built in by design to all new digital developments. The level of engagement required varies depending on the risk of the digital development, with a member of the security team looking at a variety of criteria during the consultative triage process.
Some of these criteria include an assessment of the sensitivity and classification of information involved, the reliance on third parties, the scale and complexity of the development and the use of new and emerging technologies.
For you personally, when you want to understand Cyber security best practices where do you go to learn about this?
There are a variety of resources available within the industry that I continually refer to keep on top of what is happening both from vulnerability and threat intelligence perspective, as well as general security best practices. There are commercial offerings from vendors, research firms and professional industry organizations and open source information from industry commentators and universities. There are also an increasing number of massive open online courses (MOOC) with security specialisations that I’ve looked into.
I don’t rely particularly on one particular source and try to gather insights from as many sources as possible, but I often find the most useful insights tend to come from conversations with my peers in other organizations and from interactions within the QBE global team. I can only encourage others in the industry to share more of their best practices with each other as it can only benefit everyone.
Within the QBE environment, are you more concerned about the internal technology vulnerabilities or of rogue insiders?
If you consider that rogue insiders would typically have significant information about the internal environment, the security and fraud detection controls in place and even the vulnerabilities that exist, I believe a single rogue insider is more likely to result in a business impact, while being incredibly hard to prevent.
This is not to downplay the importance of continually patching vulnerabilities to reduce the risk of other threat actors exploiting known exploits. This is critical to every organization and QBE is no different, especially when considering that 99.9% of exploited vulnerabilities in 2014 were disclosed more than 12 months before, according to Verizon’s 2015 DBIR.
How do you keep up to date with developments in Cyber Security? I heard another CISO who ensures that his staff are all accredited to be able to ‘hack’, thus they understand vulnerabilities and can ‘defend’. What have you done in this regard??
Technology is changing so rapidly — no one can keep up with everything that is changing and evolving, so training and education is critical to the long term success of the security team. As part of QBE’s commitment to our staff, we encourage and support them in pursuit of further certification and education where relevant to their role.
This includes providing regular internal professional education sessions with internal presenters, invited vendors and other external parties. Another key aspect is ensuring that globally we are connected and able to support each other. To this end, we have adopted the use of a variety of collaboration tools within the security team and hold regular collaboration sessions with global representation.
How do you balance your own bandwidth between attention on your longer term security agenda and today's issue that has just arisen?
As a CISO, you are always going to need to balance strategic and tactical priorities. My job is made a lot easier for me by with a strong global security operations team, we are blessed with a good leader that I can rely on where needed when issues arise.
It is also important to note that one of the key outcomes of our longer term security agenda is ensuring that QBE is prepared to deal with today’s issue effectively and efficiently. This means that every issue is an opportunity to kick the tires on our incident response plans and make sure that we are adequately prepared for tomorrow’s issue.
What are the key attributes that you look for when selecting a new staff member? Also I’m aware that there is a shortage of capability in the industry - how long does it take on average to find new talent?
I look for positivity and an understanding and ability to communicate business risk. I’m looking for someone who despite having a healthy dose of cynicism is really positive about making a difference. They work in security because they want to make an organization better. They also understand that, in the end, security is about enabling the business to achieve long-term success and can communicate in that way.
Finding new talent is tough in some areas with a lot of companies competing for top talent with certain specialization, and there is a much smaller number of companies with the resources to develop and grow talent. That means it could take months to find the talent you actually need whether that’s someone with really technical application security skills or with the right business engagement skills. My view is that the industry needs to focus more collectively on growing talent and I’m really encouraged by the number of companies starting to partner with universities to develop and support cyber security curriculums.
In using IT security third parties and partners, what do you look for in terms of key selection criteria? How often do you expect these partners to revalidate their credentials??
The criteria that I use is obviously contextual on what the third party and partner can offer QBE in terms of security capabilities (or more precisely risk reduction), value for money and (where possible) global standardization to avoid unnecessary technological complexity.
Ensuring IT security third parties continue to add value is one of many challenges that security teams face and revalidation of this is crucial. This is typically done periodically by QBE through agreed performance SLA’s and at least annual assessments, and we are looking at additional ways to measure value continuously.
Finally, what keeps you awake at night?
The nature of my role means that I’m awake most nights and working with the teams spread across the globe on various initiatives.
I’ve always been concerned that we are not doing enough collaboratively as an industry, whether it be educating the general public, growing security talent or sharing threat intelligence.