For many in the insurance field, technological developments may present a new calibre of vulnerabilities to be concerned of. However, a more risk-based approach to cyber security that is rooted in a maturity-based model will allow the industry to keep up with the pace of modern life without sacrificing its hard-earned vigilance.
“These innovations are an opportunistic risk,” said Benjamin Dulieu, the chief information security officer at Duck Creek Technologies. “There certainly is a yin and yang to adopting new technologies, but the benefits are beginning to outweigh the drawbacks.”
Speaking with Insurance Business, Dulieu outlines how to get a firm footing in the ever-evolving world of cyber threats how his training in the United States military helped prepare him for the world of insurance.
Throughout the past decade, the need for robust cyber security for businesses both large and small has only gained momentum, becoming one of the most talked about phenomena across industries.
This has also become a hot topic amongst insurers, as the landscape is ever evolving and requires security professionals to always be ahead of the curve.
“Once a vulnerability has been handled by cyber security professionals, a new code is written months later that builds upon the weaknesses of its previous iteration,” Dulieu said. “This means that threat actors are getting a lot more attentive on how to sidestep protections and security measures that are put in place.”
Similarly, the proliferation of threat actors, especially novice ones, are creating greater opportunities for ransomware or phishing campaigns thanks to AI technologies like ChatGPT.
“These ‘script kiddies’ are realizing it is actually quite easy to attack vulnerable businesses without having an extensive cyber threat background,” Dulieu said.
Businesses need to be prepared for the risk, and responses should include action grounded in ingenuity.
“Having a foundational cyber security program that is rooted in a maturity-based model is more vital than ever,” Dulieu said.
He highlighted the National Institute of Standards and Technology (NIST) and Control Objectives for Information and Related Technologies (COBIT) frameworks as models for advanced security measures that should be used for cyber security measures. “If you follow any of these frameworks, you will organically and deliberately have data hygiene and will be following security best practices.”
A more recent development is zero trust architecture, which requires authentication and authorization during each stage of interaction between a user and a network, which can create hurdles for threat actors to navigate.
For Dulieu, the insurance industry has an infamous reputation for its luddite tendencies, and while this may be warranted in certain regards, it sets the industry back in terms of a holistic evolution.
“The industry is still using antiquated technology and old school databases,” he said. “There is a whole reservoir of untapped potential that these advancements can offer, and they certainly can be adopted without losing sight of the bigger, risk-aware framework of insurance.”
Generative AI technologies such as ChatGPT offer one opportunity that can help streamline productivity and aid in bolstering security measures; another opportunity is the adoption of cloud-based security.
“The ‘migration to the cloud’ is an old term now but it brings a whole new way to look at security architecture,” Dulieu said.
“If you don’t have that experience today, you’re falling behind. You need to learn how to defend that cloud environment, which isn’t the image of a castle with fortified walls like on-premises security infrastructure.”
Dulieu’s foray into the insurance industry was rather happenstance, but there are foundational connections to his training as a command and control systems officer in the United States Marine Corps.
“I actually thought I was going to head into the sales realm, but my training in the Marine Corps primed me for a venture into cyber security,” Dulieu said. “My foundation in technology really opened these doors for me to break into governance, risk and compliance type roles.”
Dulieu’s time in the Marine Corps instilled the values of collective team building and accountability. “As a leader, I am responsible for everything I do and fail to do, including the team that I oversee,” Dulieu said.
“This necessitates a need for understanding, empathy and compassion to drive a team towards a common objective.”
Dulieu also learned the importance of turning everything into a process. “If you don’t make things repeatable, then you can never identify efficiencies and inefficiencies he said.”
“This is especially true for cyber security, where everything needs to be formalized and scalable, with the ability to adapt, but reliability is key.”
