In this edition of CISO Conversations, SecurityWeek speaks with two CISOs from the insurance sector: Jason Rebholz at Corvus Insurance, a Boston, MA-based cyber insurance specialist soon to be acquired by Travelers, and Jason Ozin at PIB Group, global insurance advisors headquartered in London, UK. Most current CISOs did not start by choosing a career in cybersecurity.
Ozin did computer studies at university but became an estate agent for ten years.
When he came back to the job market, after 21 years running his own tech support and security company, he did so as CISO of a rapidly growing insurance intermediary firm.
He went on to a college with a cybersecurity focus, and obtained an internship with the college, running vulnerability scans.
New opportunities come fast in technology and cybersecurity.
Rebholz saw one in leaving Mandiant for a start-up where he could be a bigger fish.
Ozin saw an opportunity in abandoning estate agency to develop a managed services organization.
Part of career progression involves becoming a leader rather than a follower.
Building and maintaining a strong security team is both essential and difficult during a well-documented cyber skills shortage - and every CISO develops a personal methodology.
Wherever a company recruits and employs its own in-house security team, the process is further complicated by the growing acceptance of a need for diversity within the team.
Mental health is another problem for this CISO - both personally and for every member of the team.
While it is difficult to prevent team members leaving for promotion or simply greener pastures, burnout is something that can and must be alleviated.
To redress this, the insurers went too far in the opposite direction, and asked simple questions that had little bearing on the security posture of the customers.
The best solution is to pay insurance to ensure crisis management is available immediately it becomes required.
All successful leaders have a storeroom of good advice received along their journey.
Successful leaders are also natural mentors able to provide advice from their own experiences.
He doesn't have much faith in the cybersecurity courses offered by some universities.
The advice from Rebholz is to be ready for a mindset shift.
For cybersecurity leaders, this involves an awareness of the security threats and risks that are coming.
Ozin believes the third-party risk is a genuine risk, but not one we can do much to solve - assessing third parties has not been effective.
This Cyber News was published on www.securityweek.com. Publication date: Mon, 08 Jan 2024 12:43:05 +0000