Southeast Schools Hoping to Fill Need for Insurance Cybersecurity Experts

April 20, 2015 by

The insurance industry, like other businesses, has come to realize it needs to do more to protect its companies, customers, employees and portfolios from cyber threats. Cyber-savvy professionals are in high-demand and are being scooped up by companies needing to protect their important information and business systems.

“Historically, the cybersecurity approach has been to build a big wall and put a moat around the castle to keep the bad guys out. I think what you are seeing is an increased recognition that nothing can be 100 percent secure and cyber resiliency and risk transfer are concepts increasingly accepted,” says David Kimmel, CEO of CyberRiskPartners, a company that provides decision-support cyber risk data analytics and risk transfer options to the insurance, risk management and cloud computing industries.

Kimmel says one of the biggest challenges with cyber risk for the insurance industry is that it is not a static risk – there can be dramatic fluctuations in response to technology and such issues complicate underwriting methodologies for insurers.

“A lot of underwriters are concerned about a ‘cyber hurricane.’ With ever-changing threat actors and vectors the difference between this and a weather hurricane that occurs in Florida is that a cyber hurricane can create problems around the world, not just in Florida,” he says. “There needs to be greater and greater cybersecurity and cyber event data to get the insurance industry more comfortable.”

In the Southeast, several colleges are at the forefront of recruiting and training students in their cybersecurity degree programs to bring more of these professionals to industries like insurance. Georgia Tech, Clark University in Atlanta, the University of South Florida and the University of South Alabama are among those providing cybersecurity education to hundreds every year.

Leaders of these programs say they see plenty of opportunities for their graduates to work with or for the industry in the development of cybersecurity products.

“The [insurance] industry is completely about risk and if they are going to venture into this new market they will need a better way to assess these risks and get the broad surface of what could happen and what the losses could be and how to assess the asset value,” says Dr. Randy Borum, professor and academic coordinator for Cybersecurity at the University of South Florida (USF) in Tampa.

USF’s cybersecurity master’s program is part of the Florida Center for Cybersecurity – a statewide coordinated entity housed at USF that consists of several Florida colleges. It was created and funded by the Florida legislature in 2014 to help Florida become a leader in recruiting, educating, training and employing cybersecurity professionals.

“If we can cultivate those people and create innovative solutions it will create more jobs and more companies will come to Florida,” says Borum.

NSA Honors Alabama School

In Mobile, Ala., the University of South Alabama (USA) recently became a National Security Administration designated National Center of Academic Excellence in Information Assurance/ Cyber Defense. The accolade is a prestigious honor that will help the University attract students who may not have otherwise come to the school or chosen another degree, says Dr. Alec Yasinsac, dean of the USA school of computing.

“It is a national level of recognition to students that are looking for a program that is accredited to that level,” he says. “And it also gives us the ability to show that our students have met that criteria and rigor so they can get the best job placements.”

Those job placements could very well be with the insurance industry, particularly as cyber liability insurance products become more in-demand and network security becomes critical for both insureds and the companies they are being insured by.

“Insurance is cyclical and we are in a very soft market, but the claims are definitely coming in and the level of underwriting integrity is starting to tighten up. Carriers will start to drill down on what cyber security measures companies have in place,” says Steven Haase, president of INSURETrust, an agency in Atlanta focused on cyber liability insurance. “I’m not sure the insurance industry can continue to sustain broadness of coverage and rates unless security approves.”

Many insurers have partnered with companies like IDT911 to offer value-added services to entice businesses to buy coverage and help mitigate the risk the insurance industry faces in underwriting this segment through implementation of better network security practices. Matt Cullina, CEO of IDT911, says this has created a need for people who have the ability to understand these risks from an underwriting and claims perspective.

“The demand is through the roof for these types of professionals and they are really hard to source. There is so much work out there on the reactive side that the firms that work with these people are in heavy recruiting mode,” he says.

Cullina says he has talked with universities around the country about their curricula and how they can collaborate because there is plenty of potential for these graduates to find jobs in the insurance world. They also recruit and have internships from colleges with these programs.

Cullina says insurance companies should also be investing in in-house cybersecurity expertise.

“If I’m a carrier, I would find it much more attractive to bring on someone right out of school with that data security background that I can then train about insurance and the insurance market,” he says. “Bringing in the young talent with a data background and marrying those skill sets would be highly effective.”

Haase says his agency has been “slowly working” its way to offer security services to partners, and has spoken with security experts about hiring them to work internally, but they are very difficult to find or afford.

Part of the challenge is also finding network security professionals who have a broad enough skill set that they can apply their knowledge towards the insurance industry’s needs.

“I think insurance companies are hungry for security folks to understand our business and understand that the business is not just technology processes. Typically, the very top level companies get the good people and the small businesses are struggling,” says Haase.

The need for this talent is nationwide, and the Southeast certainly is no exception with its strong connections to the military and the many large government agencies based out of Florida, West Virginia and Georgia.

There is also the fact that a large share of identity theft happens in Florida, with the state continually ranking either first or second for identity theft, says Cullina.

Southeast Schools of Thought

The cybersecurity graduate degree programs typically break out the degree into different information technology specialties. At the University of South Alabama, students can choose from a computer science area of study, which concentrates on the understanding and design of computers and computational processes; or information systems which is focused on information security, the fundamentals of security and the development of network security programs.

The University of South Florida offers three areas of concentration – information assurance, which is focused on information systems, risk management and compliance; digital forensics, which concentrates on recognizing and identifying digital evidence for breach investigations and prosecution; and cyber intelligence, which is the area that concentrates on assessing, mitigating and preventing breach situations.

Borum says their information assurance curriculum has the most direct tie-in to the insurance industry, but all of the degree concentrations are important to the insurance industry’s business models.

“There is the direct service of helping those in insurance sector to protect their own systems and keep up with regulations, but also offering risk management to clients,” he says. “We try to marry technology and intelligence with the domain expertise of cyber so people can develop smarter cybersecurity systems.”

‘Techy Talk’

Cullina says the most effective degree programs are those that take a consultative approach towards driving understanding and really breaking it down so people understand how to protect their systems and how to respond if a security breach occurs.

This also means, “Speaking in clear English and not just techy talk,” says Cullina.

Both Borum and Yasinsac say their schools programs have grown significantly since their inception and surpassed their original enrollment expectations. USF will have its first cohort graduates at the end of the fall 2015 semester. Borum and Yasinsac say they encourage the insurance industry to consider these graduates for internships or as employees because their training is broad and critical to today’s businesses. Both schools would be open to discussing how they could collaborate to fill the need.

“The trend in the private sector, because cyber intelligence is such a young area, is that the C-Suite leaders figure they need this function but they don’t know what it is or how to find these people,” says Borum. “We try to negotiate opportunities across private and public sectors for our graduates.”

Yasinsac says he isn’t aware of any of the USA’s graduates going into the insurance industry but that doesn’t mean it couldn’t or shouldn’t happen.

“[Industries] think they can take people and retrain them to work with what the current emerging threat is and that’s just not true – it doesn’t work,” he says. “You can’t take an existing computer workforce and make them cybersecurity experts. You need to hire folks that have been ingrained in it and come from the cybersecurity community so they can apply technology from its core foundational meaning.”

Yasinsac says with the continuing importance and development of cybersecurity products, there is “absolutely” a role for cybersecurity graduates in the insurance industry.

“The people who come out of our programs will be needed by insurance companies to assess the risk that is present to the insurance company. Technical security people should provide input into corporate decisions, such as pricing. These people are very valuable to everyone,” he says.