In this edition of CISO Conversations, SecurityWeek speaks with two CISOs from the insurance sector: Jason Rebholz at Corvus Insurance, a Boston, MA-based cyber insurance specialist soon to be acquired by Travelers, and Jason Ozin at PIB Group, global insurance advisors headquartered in London, UK.
Getting started and becoming a leader in cybersecurity
Most current CISOs did not start by choosing a career in cybersecurity. When they started their journey, the need for cybersecurity was just emerging; and their career destination was achieved through a combination of happenchance, interest, skill, and curiosity.
Ozin did computer studies at university but became an estate agent for ten years. Still, he had a technical background and liked gadgets. He quickly bought a Windows 3.11 PC and started dabbling. He became the tech support for family and friends, and then a few small companies. This sideshow continued growing until he abandoned other work, brought in partners, and ran an early managed service provider – basically, he says, “A technical support and security services organization.”
He did this for 21 years before selling the organization to his partners and taking a year off. When he came back to the job market, after 21 years running his own tech support and security company, he did so as CISO of a rapidly growing insurance intermediary firm. “It’s mental,” he says, “and I’m enjoying every moment of it.”
Rebholz’ route was slightly more conventional. He started with programming courses at school but did not enjoy them. He was advised to look at networking, and he did enjoy that. “I ended up buying a bunch of books. I read them cover to cover, and literally found the security aspect of networks by accident.”
He went on to a college with a cybersecurity focus, and obtained an internship with the college, running vulnerability scans. “I would send reports over to the business unit, and typically never heard back.” But by this time, the direction of his career had been set.
After graduating, he applied for a position with Mandiant. He didn’t expect to get it, but he did. He thought he’d be asked to do pentesting in line with his internship, but he wasn’t. Mandiant handed him a hard disk, and was told, “Here you go; tell us everything that happened on it.” It was his introduction to security forensics, and he was in his element.
“I was a nerd in high school,” he said. “I would speed solve Rubik’s cubes because it was a puzzle or problem to be solved.” Problem solving is a foundational requirement for cybersecurity, and computer forensics is pure problem solving.
Career progression is by one of three routes: dead man’s shoes (not recommended in today’s fast-paced economy), seeing and grasping an opportunity, and creating the opportunity you seek. New opportunities come fast in technology and cybersecurity. Rebholz saw one in leaving Mandiant for a start-up (Crypsis Group, subsequently acquired by Palo Alto) where he could be a bigger fish. Ozin saw an opportunity in abandoning estate agency to develop a managed services organization.
Part of career progression involves becoming a leader rather than a follower. This involves two requirements: knowledge and ambition. “Ambition is your fuel,” says Rebholz. “That’s what will get you somewhere. But your knowledge is the GPS, telling you how to get there and how to use your fuel efficiently. You need a blend of both to really get somewhere.” Ambition is innate. Knowledge comes through learning by experience, expanding your role, and becoming responsible to and for others as you climb the ladder.
Ozin believes similar. Leadership comes with learning by experience and having confidence in yourself. He adds, “I think enjoying your job and your role and the path that you’ve put yourself on is a huge, huge positive to help you in that journey.” Both believe that a through grounding in technology is essential for a CISO.
Building the cybersecurity team
Any leader is only as good as the team he or she leads. Building and maintaining a strong security team is both essential and difficult during a well-documented cyber skills shortage – and every CISO develops a personal methodology.
The standard route is to seek both qualifications and experience – but this is a difficult ask for junior or entry-level positions. It usually requires a compromise on one or another requirement. Rebholz relaxes on qualifications. “I do not require any certifications for my team,” he said. He prefers to look for either experience or potential.
“Potential is a bit harder to suss out,” he added, “but I look for examples where a candidate has gone into situations without knowing anything, but still managed to figure it out. A certification could be a useful stamp of approval, but I will never make it a requirement on the job description.”
Ozin finds the recruitment issue so problematic that he outsources to service providers wherever possible – such as an outsourced SOC. “The whole cybersecurity training field is broken,” he said. “If you look on LinkedIn, you’ll find people complaining about the lack of candidates or the unrealistic salary expectations. At the same time, you’ll see lots of junior candidates out of university with a cybersecurity degree or an information security degree saying they can’t get a job because even the entry level jobs want three years of experience on top.”
There is a solution, he suggests, but it is beyond the practical resources of most organizations. “The way to fix this is to mentor people and train people and have training programs that have apprenticeship programs. The trouble is, I haven’t got time to do that. I should be doing it, but I haven’t got time to do it.”
Wherever a company recruits and employs its own in-house security team, the process is further complicated by the growing acceptance of a need for diversity within the team. This includes, but goes far beyond, gender diversity.
“Diversity is essential for success,” said Rebholz. “The core need is for a team that that has multiple viewpoints and multiple backgrounds and multiple experiences so you can get to the best answer. if you have people who grew up in the same industries or with the same backgrounds, you’re really handicapping yourself –you’re going to miss out on some potentially better ideas that come from the infusion of different sources.”
True diversity will include neurodiversity, LGBT and potentially reformed blackhat hackers – but that brings additional issues. Diversity comes from minorities, and minorities come with additional stresses. The solution here, says Rebholz, is to foster a culture of mutual respect. “There must be that mutual respect from everybody in the team. Power comes from diversity that truly meshes. So, everyone needs to understand that we are intentionally doing this, and we’re going to take the time to listen and understand each other. We’re going to take the time to have disagreements as long as we’re working constructively and productively towards a better outcome for what we’re working on.”
Mental health is another problem for this CISO – both personally and for every member of the team. Burnout is a burning issue. While it is difficult to prevent team members leaving for promotion or simply greener pastures, burnout is something that can and must be alleviated.
“Burnout is real, and it’s a problem in the industry,” said Ozin. “The fix is to stop putting people out. Insist people keep to their set hours. If you want more work, pay for it, and make it optional. And don’t take unfair advantage of the new kid who’s trying to impress you.”
Rebholz agrees that burnout is a problem. “I’ve experienced it myself, especially within incident response. We don’t do ourselves any favors – we have this mindset that we need to be available 24/7 in case anything happens.”
The real difficulty is it is sometimes true. “Sometimes we just have to put our heads down and work through a crisis.” But that’s for relatively short periods, and under normal circumstances he insists that PTO is not merely taken, it is complete, disconnected PTO.
The key, he believes, is the team spirit that must be fostered. We’re all working together. “You must encourage people to raise their hand and say, ‘I need a break, I need to step back.’ And you give the team space to operate like this, with everyone watching out and supporting each other.”
A word on cyberinsurance
It would be remiss to talk to insurance CISOs without asking about cyberinsurance. Rebholz’ opinion, as a cyberinsurance provider, is obviously supportive. Ozin, however, has a nuanced view. “Cyberinsurance is really, really useful,” he says; “but it is useful rather than essential.”
He believes that the initial approach from the insurers was too complex. It was aimed at SMBs, but SMBs were unable to answer the complex security background questions the insurers asked — so nobody bought it. To redress this, the insurers went too far in the opposite direction, and asked simple questions that had little bearing on the security posture of the customers.
This gained traction with the SMBs, and as a result, insecure companies took insurance, got hit by ransomware, and the insurers got stung. The irony, according to Ozin, is that ‘ransoms’ should not be the purpose of cyberinsurance cover.
Today, he suggests, “Yes, of course you should get cyberinsurance — but not for paying ransoms. That’s a financial penalty for security failings and may be something you just need to swallow if you are legally allowed to. You need insurance to pay for the expert post-compromise crisis management team that becomes essential.”
That’s not cheap. It’s too expensive for most companies to retain on standby in case of a crisis but must be available at a moment’s notice — just in case. The best solution is to pay insurance to ensure crisis management is available immediately it becomes required. Otherwise, brand damage and legal costs may easily exceed the ransom and have a longer term detrimental effect.
All successful leaders have a storeroom of good advice received along their journey. In some cases, it was delivered personally; in other cases, it was simply observed. For Ozin, the standout advice was observed.
“The chairman of a charity I was involved with had just sold his company for £135 million,” [worth more in today’s money], he explained. “It was a small company he had inherited – and he just grew it beyond recognition. The key point was when he realized he wasn’t very good at the business; that he wasn’t best at everything. So, he hired people who were better than him – and that’s when the business took off. What I learned from this is If you want to do something, make sure you’ve got good people around you, people who are even better than you, and let them share your success.”
For Rebholz, the advice was ‘under promise, and over deliver’. That doesn’t mean you suggest you cannot deliver what is required, but that you always strive to deliver more. It promotes your image of accountability and responsibility. “That was the best advice I ever received,” he said. “I received it early in my career. It was meant for consulting where you’re responding to a client, but it applies to absolutely everything.”
Successful leaders are also natural mentors able to provide advice from their own experiences. Ozin’s advice is to start from IT. “You cannot be a good mechanic if you don’t know how the engine works.” He accepts that this may not be the standard view of cybersecurity, but adds, “You’ve got to have a love for the actual technology and to understand the innards of it before you can actually go on to secure it.”
He doesn’t have much faith in the cybersecurity courses offered by some universities. “I’d much rather take someone who’s been into computers from the age of 12 because of a love for the technology. I think those people can learn much, much more than somebody who’s just done the rote cybersecurity learning.” His advice for potential security leaders is simple: if you want to progress in cybersecurity, make sure you have a thorough knowledge of the technology concerned.
The advice from Rebholz is to be ready for a mindset shift. “When you become a leader, it’s no longer about you. You succeed when your team succeeds. This applies to anyone who moves from an individual contributor role to a team leader role. It becomes, ‘How do I make everyone else around me successful?’ That’s your job as a leader. If you do that, success will follow you. When you start seeing previous members of your team becoming as, or more, successful than yourself, that’s when you know you’ve done leadership right.”
Leadership is also understanding and plotting the path forward. For cybersecurity leaders, this involves an awareness of the security threats and risks that are coming.
Ozin believes the third-party risk is a genuine risk, but not one we can do much to solve – assessing third parties has not been effective. “If you look at the third parties that have been breached recently, most have had an A-star in any assessment given to them. Third parties remain a risk, but it is not the biggest risk we can address. The biggest risk is still going to be from outside with exploits and phishing and ransomware. They’re not going away. They’re here to stay for a long time and they will remain top of the threats.”
For Rebholz, the threat is a combination of external criminal professionalism, and complacency at home. “Some of the toolkits. coming out now are bypassing weaker forms of multi factor authentication” he explained. “I fear we are walking into a perfect storm where we’ve been touting the merits of MFA for years. It is still one of the most effective things you can have, but now there are different phishing kits that are bypassing application push-based authenticators. As it becomes easier for hackers to do that, it becomes more important for security leaders to start implementing phishing resistant MFA in their environment. Otherwise, we’re going to be operating in a space where the tool that we’ve most relied on for the past five to 10 years simply no longer works.”