Data security should be a top priority for any organization, but for insurers tasked with safeguarding sensitive consumer information in addition to their own internal data, the stakes are especially high. Furthermore, while information security has undergone enhancements in recent years thanks to the maturity of artificial intelligence (AI) and other technological advancements, so too have the capabilities of bad actors. 

For Tim Nash, chief information security officer at Zinnia, safeguarding company and client data is about helping people: “At a macro level, if we’re protecting people’s personal data, and protecting corporate data on the corporate side, then ultimately we’re helping people and providing assurance that their data is safe.” In this Q&A, Nash discusses how Zinnia has built a security organization that’s equipped to handle these evolving threats.

What are the particular security challenges faced by the life & annuity industry?

We face many of the same challenges as others in the financial services sector when it comes to ransomware, phishing attacks, and dealing with legacy systems. But specific to our business, you’ve got regulatory compliance, data privacy protection, and fraud detection and protection more in the spotlight because of the additional layer of personal identifiable information (PII) inherent to life and annuities (L&A) insurance. We’re not just dealing with customer names and addresses, but also personal medical histories, family medical histories, and other types of PII that are even more valuable to threat actors to eventually sell or use to demand ransom.

At Zinnia, we’re not just protecting our own data, but that of our clients and their customers. Our clients’ business reputations are on the line as well as ours. That’s why it’s critical that every Zinnia employee has a security-first mindset, and why we focus so much attention on user awareness training for our employees.

Are those the same things you’d say five or even 10 years ago? Has the nature of those problems changed over time?

I’d say the difference is the frequency and sophistication of the threats. As technology changes and advances, that’s often a good thing for those of us protecting the data, but technology also advances for the bad guys. They’re using artificial intelligence and machine learning and social engineering techniques to try to get through corporate networks and get to the data. 

Third-party risk has also increased over the past few years. I think the bad guys are starting to see if you can’t get into the organization you want, you can get into their supply chain and get in through the backdoor that way.

Can you give an example of how bad actors are using AI and machine learning?

They’re using things like voice technology to mimic the CEO or someone in the organization to leave a voicemail to request a wire transfer or a check.

How do you think about the balance between solving for one-off threats versus establishing sound systems of governance and security?

Solving for one-off threats is difficult. If you focus on the one-off threats, you don’t know until it’s too late. There’s no efficiency or economy of scale. So really it’s about setting up a proper security program that’s based on controls and processes and standards. 

In that last example, we already have controls in place to counteract someone mimicking the CEO or another person in the firm. We wouldn’t make a decision or cut a check based on a voicemail. We would get verification from the actual person in a live call.

When you have that in place and you have continuous threat monitoring, risk assessments, and defense and depth in place within your program, then you can handle one-offs if they come in rather than trying to go after threats reactively.

How much is infosec at Zinnia technology-driven vs. process-driven?

A great security program will make use of both. Great processes allow for repeatability, predictability, and scale while the right technology helps to automate our controls. And will help make sure you catch all threats whether they’re standard or novel.

What does that look like, given how security threats are always evolving?

As the threats evolve, you also have to evolve and adapt your program to match them. Take phishing, for example. You’ve got a number of layered controls that help with phishing like firewall protection and user awareness and education. So if the threat actors are using a new type of phishing campaign, you can change and adapt your awareness campaign. It’s adaptability and resiliency within the program once it’s built rather than trying to structure it toward one-offs. 

On the one hand threats are evolving, but the regulatory environment changes too. How do you respond to that kind of change?

Whether it’s the SEC or New York State DFS or any other regulatory requirement, we work hand in hand with our legal team to make sure that we understand the requirements and we have controls in place to address them. If there are gaps or areas we don’t have in place, then we work to mitigate that. 

You mentioned user awareness training. One maxim of digital security is you’re only as secure as the weakest link in your chain. How do you achieve organizational buy-in at Zinnia?

It’s a constant engagement with the end users. Before you start pushing out information to the end users, you have to make sure that the security controls you’re putting in place are aligned with the business goals. Once those are aligned, we can better articulate to the users what we’re doing and demonstrate the value of those controls. 

User awareness is a great example. We revamped our user awareness training about a year ago. I get a lot of feedback from our users saying how much they like it. They’re using the tips and the techniques that they learned from our training for their personal accounts or their kids’ or their parents’ or whatever the case may be. It shows our team members aren’t seeing safety and security as a chore — but rather embracing it as a part of their everyday lives. To me, this demonstrates the value of partnership with end users.

Disclaimer: This interview has been edited for length and clarity.