IT security was a critical element of retired US Col. Barry Hensley’s 24-year military career as an Army Signal Officer, as he was often responsible for the engineering and installation of “military networks, whether in garrison or in support of combat troops deployed.”
“The pinnacle of my military career was working with an elite group of cyber forces with the ultimate mission to operate and defend the military’s global communications network,” Hensley tells CSO. “It was during this period that I realized the severity of cybersecurity issues facing this [US] nation, and I wanted to commit my professional career to be part of the solution while continuing to fight the good fight.”
Today, Hensley is the CSO of Brown & Brown, a global insurance brokerage, with the goal to help clients safeguard what matters most to them.
CSO spoke to Barry Hensley about cybersecurity in the insurance industry, how to keep cyber professionals inspired, and more.
How do organizations today perceive cybersecurity?
Hensley: The awareness of cybersecurity risks is more consistent across industry today; but the degree of required call to action often varies greatly. Cybersecurity is foundational to any organization, especially where customer confidence and trust are essential. And part of that trust includes the security of the networks, the data, and the services we provide.
It was not that long ago that organizations did not believe the risks were real or relevant to them. Times have changed as more organizations have either experienced a significant incident firsthand or have seen enough third- and fourth-party breach notifications to take up arms. All these events drive awareness and give credibility to the threats and associated risks. However, there is still a challenge in establishing an appropriate risk tolerance that drives the right investments in effective security controls, especially for budget constrained organizations.
We also cannot forget the rise of government intervention and fines and other regulatory actions related to cybersecurity events that will influence those perceptions.
What specific security risks are you facing in the insurance industry today?
Threat actors today have a common theme, and that’s how they capitalize on their access. So, personally, I do not over-index on the vertical specific threats; it’s really about the data or access those organizations possess and its perceived value. Specific to the insurance industry, there may be information collected to inform a claim or policy that a threat actor might determine valuable even if it only refines their targeting efforts of others.
However, we also cannot wish away the “idealist” or “ideologically motivated” threat actors that target the insurance industry because of historical misconceptions or animosity toward the industry.
Specific to ransomware, threat actors are likely to target organizations that have a high likelihood of paying or be exploited. So, it’s as much about the data those organizations possess, not necessarily the industry verticals themselves, and the maturity of their security program. Threat actors want to expend the least number of resources for the highest return on investment, so they often target low-hanging fruit, which are, in many cases, the least mature security programs.
Do you see your cybersecurity strategy changing in the next few years?
Our strategy remains the same: focused security investments aligned to our risk tolerance, staying a step ahead of an increasingly active threat landscape. An example is the adoption of artificial intelligence hacking tools, clearly an illustration of the need to adapt. The question is, How do our security teams combat this advancement with our own AI strategy? How do we leverage AI to carry out those commodity tasks while unleashing our human teammates to focus on business context as it relates to the overall risk reduction and prioritization of training those AI models?
So, imagine an AI security workforce that is led by human security subject-matter experts ensuring we have appropriate defenses at the right time and right place. An example would be conducting continuous penetration testing to find the gaps in our defenses that might otherwise go unnoticed.
We do see the evolution of third- and fourth-party risk management, especially in how we validate our security partner’s maturity and resilience. The evolution of risk is partly based on third and fourth parties swapping their underlying technologies to reduce cost or increase efficiencies that a customer has little to no understanding of the risks that might expose. So, for the security functions we’re going to provide internally, we’ll focus on the basics and do them well. With the controls/functions we outsource, we must reimagine not only how we verify our partner environments but how do we actively participate to improve their security programs as well as ours.
We cannot forget that much of cybersecurity is about doing the basics brilliantly. And in this case, those basics of building and securing an infrastructure that will still be leveraged for years to come.
What do you do to retain cybersecurity professionals?
Leadership is about how you inspire people to achieve or accomplish a shared vision beyond what they ever expected they could do. Leaders must first understand teammates’ passions and relevant skills to align them to achieve business goals. Getting their buy-in is key while clearly articulating where they fit in the overall vision.
At Brown & Brown, we help others protect what is most valuable to them. To retain our top talent, we make sure our teammates understand where they fit into that mission. Our success story is based upon earning people’s business every day, and ensuring that our environment, networks, and data are secure is critical to building and retaining that trust. We need to demonstrate to our teammates just how integral they are to maintaining that trust in our customer relationships. We want them to wake up every day knowing that they play an important role not only in our security program, but also the broader Brown & Brown ecosystem.
At Brown & Brown, we put the teammate first, as their expertise will always be a key differentiator.
What are you most proud of?
I am most proud of the inspiring team of security professionals that I work with each day. They always put the team before themselves, strive to be the very best at what they do, and always go the extra mile to ensure the security and protection of their teammates and the organization. I am truly blessed to be part of an amazing team whose work ethic and commitment to excellence are unparalleled in my experience.
Are there any questions CISOs should be asking themselves?
Are we assessing the most relevant risks, rather than the risks of yesterday? And, because we can get so wrapped up in the playbook that we ran in our last organization, how do we ensure the current playbook is relevant to the organization at hand? An example would be how much time we focus on phishing training, which burdens our teammates to be the first line of defense, where we could instead leverage anomaly-based detection to automate the detection and response actions.
What are the biggest security challenges cybersecurity leaders are facing right now?
Hensley: In this business, there is no single biggest challenge, but multiple, ever-evolving challenges that compete for our attention.
A shared challenge across the entire cybersecurity community is having to be right 100% of the time in a world where threat actors are so agile, innovative, well-resourced, and advantaged with the element of surprise. Cybersecurity professionals also struggle with prioritizing their efforts while providing innovative solutions for their enterprises. Every cybersecurity leader must wrestle with the risks posed by new technologies; AI being just one of many.
While there is no absolute “right” answer to the risk question, the age-old formula of mitigating threats against your most critical assets holds firm. Security teams have an ongoing mission to identify weaknesses, assess the likelihood of exploitation, and determine the resulting impact on the business. It’s a difficult but necessary step in the risk versus reward trade-off.
What keeps you up at night?
Hensley: The unknown. As I shared above, cybersecurity professionals must be right 100% of the time, while threat actors only need to exploit one unknown or unmitigated vulnerability, or take advantage of a single user with privileged access. Our risk modeling should invest in effective security controls to minimize the unknown threats as much as possible against our most critical assets.