“One of the best lessons I ever learned was when I worked for this colonel,” said Ben Dulieu (pictured above), a former US Marine Corps captain and now chief information security officer (CISO) for Duck Creek Technologies, a global firm specializing in digital insurance technology.
“He once said to me: ‘Lieutenant Dulieu! No matter what you do, everything needs to be turned into a process because if you don't turn things into a process, you can't identify efficiencies or inefficiencies,’” he said. “That's so true in everything we do.”
It’s a story that might provoke flash backs of Jack Nicholson and Tom Cruise in the movie, Three Good Men. Dulieu was responding to an IB question about learnings from his military career that he now applies to cyber security work.
“I have always looked at my time in the Marine Corps as the building blocks and the foundation of who I am, both personally and professionally,” he said.
Dulieu said his military experience has taught him three major lessons he applies as a CISO in the insurance industry: strategic thinking and the importance of both standardization and empathy.
By way of explanation, he said his current role involves understanding nuances around technology and that’s important but that’s “absolutely not” the only requirement.
“The things that the Marine Corps taught me include strategic thinking which means thinking about alignment with a broader strategy,” he said. “If I was just thinking about my one unit then we would fail, right?”
Dulieu said its important in his current high level cyber security role to “pull it out, look across the entire organization, understand the role that we play an understand how it all connects together.”
Another ingredient in this strategic thinking around complex projects is standardising.
“We have to standardize,” he said. “The American military is so fantastic and known for our ability to standardize things.”
The “last piece” of learning from his military career is somewhat surprising.
“Believe it or not - I know it's probably not a trait that a lot of people associate with the Marine Corps - having empathetic leadership and having the ability to understand people, to influence people and to do things you need them to do when they probably wouldn't want to,” he said.
Dulieu said as CISO he can’t expect to control everything .
“I have to work with the engineering teams, product teams, infrastructure teams and the marketing groups,” he said. “The way I have to do that is by understanding what their goals are and being able to empathize with their needs and be able to influence them.”
The current cyber threats facing insurance companies, he said, relate to their huge reservoirs of data from almost every citizen in the country about mortgages, cars and health insurance, to name a few sources.
One key risk, he said, is some insurers’ well known use of antiquated technologies.
“So legacy systems and legacy vulnerabilities,” said Dulieu. “Although the insurance industry doesn't have a monopoly on that problem, they are absolutely relevant to the insurance industry and probably one of the biggest issues.”
Cloud systems, now favoured by many insurers over data centres, are also a potential weak point.
“Most organizations that have a technology innovation or they’re moving their systems and those legacy platforms to the cloud and that increases the threat profile,” he said. “It increases the landscape of where they're being attacked from, it increases the complexity.”
As result of this combination: huge amounts of data, legacy systems and a complex cloud migration, he said the insurance industry is “a pretty good target for hackers.”
Ransomware, he said, remains a major threat.
“I have seen insurers that were impacted by ransomware and some of which were offline for weeks at a time,” said Dulieu. “That means you're done! It's over!”
Another cyber risk, he said, come from the insurance industry’s innovation around big data and big analytics and how that ties into artificial intelligence (AI).
“In order to maintain the data you have to have some level of AI that adds the value to it and there's new threats around attacks against AI, and then leveraging AI to attack,” said Dulieu.
Social engineering, for example stealing an employees credentials, he said, remains the source of the majority of cyber attacks.
What can the insurance industry do to reduce the threat from cyber attacks? Please tell us below.
