Why people are the best asset (and biggest risk) in insurers' cyber defence – Stuart Harrison, CISO, Medibank
For a defiant Stuart Harrison, Medibank’s chief information security officer, cybersecurity isn't something that you can simply "buy your way out of" or throw the latest tech solutions at. The strength of your cyber defence is, ultimately, contingent upon the quality of your people.
Speaking at FST’s Future of Security conference earlier in April, Harrison repeatedly underscored the importance of quality over quantity in human resourcing in bolstering Medibank's own cyber posture.
“People are our first and last line of defence,” he said. “All the tech in the world won’t make any difference until we get people across the line,” he said.
Medibank is one of the major players in Australia’s health insurance industry – formerly government-owned, now the second largest private health insurer in the country, it represents nearly 1.8 million policyholders, with revenues exceeding $6 billion, and a staff of more than 3,500 individuals. However, no more than 12 people hold the fort of Medibank’s defensive perimeter, representing less than half of one per cent of the organisation’s available staff – a situation common in many fellow insurers.
“These 12 people are responsible for helping safeguard our members, our customer information and our company,” Harrison said. “They’re at the end of the pointy stick – and it’s a very pointy stick even on a good day.” For an organisation that hosts highly sensitive customer data, including personal health and financial details, there is no doubt an immense weight of responsibility on the shoulders of this cyber dozen.
Getting the most out of this finite human resource – which often cannot be scaled with ease or without significant cost – requires organisations to not only “find the right people” but to also “get smart about how you use those people,” he said.
For Harrison, the best cybersecurity teams are not only comprised of highly competent, qualified and IQ/EQ-'intelligent' people but, perhaps most importantly, are made up of individuals that are intuitively “aligned with your values, your organisation, and your [corporate] mission.”
“We look for people that align to our values and what it is, by way of our mission statement, that we seek to achieve – that’s really important, because these people have all got the same alignment without me needing to tell them to get aligned with our values,” he said.
“The sheer number of people means very little in cybersecurity; we look for people that align to our values and what it is by way of the mission statement that we seek to achieve, because these people have all got the same alignment without me needing to tell them to get aligned with our values.”
Yet, Harrison concedes, the proliferation of socially engineered attacks and the less insidious – though far more common – risks of human error, mean that people within the organisation also present its biggest security vulnerability. Organisations, therefore, cannot be complacent to the ever-present threat from within.
“We have some great people working for us, and what we have is, I believe, genuinely a very healthy working environment. But while it’s good to trust your people, there are some that are very far from who they claim to be.”
“People are the weakest point in the security chain. So think long and hard about how you enable your people – and that’s everyone in your organisation – to help your security needs.”
Bringing your board on the cyber wave
Implementing a holistic, and well-resourced security program requires the consent, coordination and understanding of all staff – including, most critically, the executive board – many of whom are little versed in the intricacies and value of cybersecurity technologies and individual roles.
For Harrison, getting board members on-side requires cybersecurity teams to set realistic expectations about their responsibility to the organisation. Security must never be ‘sold’ as a blanket preventative measure; breaches and human error are inevitable – the goal remains, fundamentally, about risk minimisation.
“We can only affect the likelihood of something happening: the consequence is the consequence, the impact is the impact. If you lose my passport, there’s not much I can do to get that piece of my identity data back,” he said.
Effective communication with board members requires a common touch, using plain language that is infused with data-backed evidence. “People love data,” Harrison said. “When it comes to security, many of the senior executives... like big red buttons and green buttons. It's about making sure you’ve got a compelling picture to place with your people,” he said.
“Get some good graphics and a good presentation layer behind your data. Don’t make a subjective call; find good information that really speaks to people about what’s going on in your network.
Too often, board members and non-security staff are simply unaware of the enormous value and impact that cybersecurity teams deliver to organisations.
“When I speak to people, they have no idea that we deal with 500,000 spam attacks, all via email a month. And that’s nothing compared to some of the big banks. People find this genuinely intriguing.”
Harrison himself has assumed this information-sharing role as a personal mission.
“On a daily basis, I’m out there engaging with the business, understanding what the challenges are, converting our technical 'mumbo jumbo' into English that people can actually consume, absorb and act on.
"[I make] sure that we have the appropriate processes and technologies in place, ensuring that our approach allows us to have compliance with the regulation standards as a by-product of doing the right thing rather than a box-checking exercise."