An industry veteran with more than two decades of experience, Kelly Isikoff joined RenaissanceRe in 2016 with global responsibility for directing strategy, operations, and budget for the protection of information assets.
Before joining RenaissanceRe, Isikoff was an Executive Director for JP Morgan Asset Management, where she was responsible for setting security strategy and policies as well as managing operational security departments. Prior to her time with JP Morgan, she was a Senior Vice President for Citigroup and managed infrastructure, data management and security across departments. Previously, she has also worked at Warner Music Group, where she led security and new media initiatives to identify innovative revenue channels within technology.
In an exclusive interview with CISO MAG, she discusses cybersecurity practices in the insurance sector, women representation in the cyber world, and much more.
Please tell us about your role and responsibilities in RenaissanceRe.
I am the head of the information security for the global organization. I also manage all of the strategies, programs that will help us maintain our compounds across most of the regions. I also manage the additional groups that feed into security that have a role to support overall defenses. So that being said, a smaller organization unlike the larger organizations I worked with in the past were are using different types of managing security service providers for different capabilities to achieve the same level of security. So my role is to transform the organization and manage a lot of the overall security program and help it to maintain compliance and achieve compliance with pretty big regulations that are coming up and hitting a lot of other financial firms and worldwide global firms.
It looks like a lot of the states within the U.S. have started to fall in line with the same cyber regulations that we have in New York. It seems like every country around the world is starting to uplift their cyber regulations, so making sure that we get things right and follow a standard process and framework is the key to making sure that we don’t have to continue to go through our compliance checklist with each one of these different countries, states, and jurisdictions.
Cyber attacks in the insurance sector are growing exponentially, as companies are migrating toward digital channels in an effort to create tighter customer relationships. What are the things RenaissanceRe is trying to keep the hackers away?
I mean there’s not one practice that we follow. We have a lot of partners that we work with and a lot of vendors that we manage and that (Third party security management) is a big issue for a lot of companies, not just a company of our size. There are a lot of new companies that are entering the space and provide you assessment services. Unfortunately, some of them are not robust than others.
So, third party security is a big issue and we are receiving more and more requests from clients for much more exhaustive security reviews of our control and a lot of my time is dedicated to calls with our investor group, different types of business clients to go over our security program with them and then go over their security program with us. So, there’s a lot of vetting of partner security that’s happening across the industry.
As you said, you are actually working with a lot of third parties and partners. What do you do to keep the data transfer absolutely secure?
Well we follow different frame works. Our strategy focuses on cybersecurity framework which is really flexible across the industries and really simple to follow, and we also follow top 20 critical security controls which were developed from a lot of industry practice within the community. So, that’s our strategy and that’s how we set our programs for the year.
How important is cybersecurity education or training for employees in keeping cyber threats at bay?
Security awareness training is very important to us. We have continuous programs as well as digital annual trainings and certifications. Also, there are company meetings on key security risks to the organization. Security is everyone’s responsibility, not just one department’s. As far as protecting ourselves against a cyber threat, we have a lot of controls on data access on an add need-to-know basis. We really have a strong program around building out our access control of critical data in critical systems.
What is your take on cyber insurance?
We’re really seeing an evolution of cyber as a specific product to cyber as a peril which can influence multiple insurance products. Most insurance products today focus on credit marketing and notification cost, and these costs are often required by a regulation. So we see a potential growth for risk managers as they asses a cyber risk for their business and starting to work more with our insurers and re-ensure a way to access monitor and mitigate risks. This could include a broader cover for system failure, and interruptions for example.
Do you think cyber insurance is keeping pace with cyber-exposure?
Definitely, I know that a lot of large finance institutions are increasing their coverage through larger cyber offerings and a lot of other multiple insurance products are starting to develop cyber policies within it. So, we’re saying more aesthetic cyber policies into multiple insurance clients.
The representation of women in cybersecurity has remained stagnant at 11 percent for the past four years, according to a report. This is despite growing awareness on cybersecurity, and expanding career options. Most of times, the reasons cited is the lack of women role model and the impression the industry carries. What can be done to break the gender stereotype so that women, even in their teens, are inclined to join the cybersecurity space?
Well, you’re right! There’s definitely a skill gap and I do feel like a minority in my profession. I think some of the things we can do is promote cybersecurity across universities to encourage young women because it is really dynamic and interesting field that’s constantly changing. It’s not something for programmers or people who like technology. It is much more diverse than that. You need to have an investigative type of mindset, you need to look at a lot of different ways that your systems, your information, your business can be compromised and have the ability to work with business to understand your risk, so you can protect against them. It’s really important for me to mentor young women who are interested and moving into security.
According to you, is there anything that the CISOs are doing wrong at a time when the threats are evolving with each passing day?
What we really need to learn from recent attacks is that CISOs need to understand the full scope of security. It’s not just infrastructure parameter anymore. It’s also about application, user behaviour, and other things. They need to know the overall threats that are targetting your organization. You need to follow the cybersecurity framework and employing it for your environment and understanding your risk level. For say, if you’re managing a company that has a lot of Web exposure, you really have to up your application security program. Overall, understanding the risk level of your organization and speaking closely with the business leaders to comprehend the key risks and how do you mitigate those risks and build a depth of control around those risks. That’s what I would recommend the CISOs or new CISOs entering into that space because that’s where I’ve seen a lot of CISOs who failed.
What advice would you give to a budding information security professional?
There are so many different areas within the security to grow into. So, getting a broader in-depth knowledge of various kinds of security domains and understanding the different domains and skills you’d be doing in each area. Basically, understanding what might interest you! That’s what I would recommend to anyone who’s getting into the security because there are so many different specialties within security. It wasn’t like that when I got into security. I worked between infrastructure and application groups, managing security process domain. There weren’t many specializations then, whereas now there are so many specializations and with that there are many opportunities to learn and develop unique skills that make you even more valuable in the marketplace.