In The Binoculars: Nate Smolenski, Chief Information Security Officer
Corvus Question & Answer Session with Nate Smolenski
Nate Smolenski joined Corvus last month as Chief Information Security Officer. In this role he’ll provide critical guidance to our brokers and policyholders as they evaluate their cybersecurity posture, and will be instrumental in informing Corvus's product roadmap.
Nate’s two decades of experience has been built across diverse business verticals, including insurance. He most recently served as Head of Enterprise Security Strategy at Netskope, and has had leadership roles in information security at the NY Life Insurance Company, Spencer Stuart, Zurich North America and 21st Century Insurance.
We’re excited to welcome Nate to the Flock -- so excited, in fact, we wanted to share a full Q&A so that all of the brokers and policyholders working with Corvus can get to know him too.
What drew you to Corvus?
I see this huge opportunity to use technology and data science to impact overall security, particularly by helping under-serviced IT organizations. And by overall security, that includes larger companies, the ones who do have sophisticated IT security -- because of the deep connections between organizations and the multiparty risk that presents. It’s supply chain risk management. Even if your own company is well-secured, say there’s a regional logistics company you use as part of your distribution chain -- if they aren’t just as secure as you, that represents a point of weakness. So by helping all companies, especially ones under-serviced in IT, we can have a “rising tide” effect on security. Corvus has the tools and the technology and the people to make that happen.
Your role encompasses both Corvus’s security as well as the security of our policyholders. A two-part question:
1) What trends in risk do you see for insurance companies in terms of their own cybersecurity?
2) Do you see an evolution in how cyber insurance fits into the cybersecurity operations at insured organizations?
For the first part: we’re seeing digital transformation in financial services in general - a shift from brick and mortar bank operations to digitally-focused banking services, for example. It’s the same in insurance, where digital insurance has created disruption, with even the largest and most established insurers making investments and acquisitions in this area.
As a large entity like an insurer starts adopting cloud services there’s a substantial change in their cyber risk profile. The security team now must serve two separate functions: support a legacy infrastructure -- a datacenter -- that keeps the main business running, then also support the new investments that are inevitably built on the cloud. It’s no longer just a castle with a moat, the security paradigm for a datacenter. So the security team has to bifurcate its efforts and its personnel, and needs to plan on living in this more complex way of operating for the foreseeable future.
To the second part, I can speak as a former buyer of Cyber Insurance products. Not too long ago, the involvement of the CISO started and stopped with a spreadsheet of questions from the insurer about the IT system. Homework. But there was a gradual realization among the C-suite the answers to those questions actually impact the premium. So they started to get the CISO involved earlier.
At the same time the insurance products became more sophisticated. Before, the broker might have come to a client with a policy with $2m coverage for PCI, even though it’s a manufacturer who has never processed a credit card. Now underwriters (like Corvus) are determining risk based on data gathered on the current state of the policyholder’s IT systems and technology landscape, largely doing away with aspects of the questionnaire, and getting much smarter about coverage.
So now, this virtuous feedback loop has been established where the CISO is more involved on the client side, and the insurer is focused on the things that really matter to risk for the client. To bring it back to my answer above about the rising tides of security -- everyone knows the “table stakes” of what it takes to make a company safer, but that doesn’t mean the table stakes are easy. Many companies don’t apply best practices consistently. So having insurers drive change by providing data and the opportunity to get better coverage when best practices are followed, and having CISOs involved at insured organizations to effect that change, it can make everyone safer.
Crystal ball: will ransomware remain the major threat concerning organizations for the foreseeable future, or fall out of favor?
It all depends on how long it takes to get to universal hygiene -- the universal application of some basic security measures across an entire industry vertical. It comes down to making ransomware more expensive to do. If there’s no more low-hanging fruit to exploit, the cost-benefit ratio will fall to the point that criminals will eventually look elsewhere. Of course, if there’s the nation-state aspect involved, that could be another reason we continue to see these kinds of attacks -- in that case, the monetary reward isn’t the only tradeoff. But getting more organizations to take this seriously and defend against ransomware will certainly make it more expensive.
What’s something we don’t know about you?
I am a youth ice hockey coach and general ice hockey enthusiast. I played for many years growing up and still enjoy being on the ice with my kids and helping to coach their teams and teammates. It’s an enjoyable break and opportunity to do something very active with the kids and it’s great to see the progress they all make each season and year to become better players and better people.
We’re spreading our wings to welcome another new hire to Corvus, Lori Bailey!
We continue to see exciting growth here at Corvus, and this month we get to welcome Kori Johanson to the flock!