Laura Deaner. PHOTO: Cybercrime Magazine.

CISO Report: People, Process And Technology

Northwestern Mutual Chief Information Security Officer Laura Deaner on cybersecurity and boardroom collaboration

David Braue

Melbourne, Australia – Sep. 19, 2022

This CISO Report is sponsored by KnowBe4.

For all its depredations, the pandemic has been good to Northwestern Mutual, a Fortune 500 insurance giant that saw new life insurance sales surge by 52 percent between 2020 and 2021 — contributing to revenues of $36.8 billion and a record shareholder dividend of $6.5 billion.

Yet behind the financial headlines, a dedicated team of executives is working continuously to not only help their clients manage risk, but to manage the risk of the business itself — and in a climate of surging cybercriminal activity, financial-services boards are all too aware that cybersecurity risk is off the charts.

Enter CISO Laura Deaner, who joined the company in February 2021 with a remit to help it manage the escalating cyber risk that had emerged during the pandemic.

A former CISO and cybersecurity policy consultant at the likes of S&P Global, the World Economic Forum, PR Newswire and Morgan Stanley, Deaner knows all too well how closely linked business risk management and cybersecurity risk management are — and, 20 months into her latest job, she is loving it.

“I’m responsible for setting the strategy, but I also get to do it for IT risk management,” she told Cybercrime Magazine. “It has been pretty amazing, and a nice way for me to continue down the path of financial services, where I grew up.”

That path, however, has taken her on a slow walk along the front line of the cyber wars that have escalated dramatically in the more than two years since the pandemic began.

Indeed, according to one assessment, 74 percent of financial institutions had experienced a significant spike in cyber threats since the pandemic began. Deloitte, for its part, recently noted that attacks against financial apps had risen by 38 percent year on year.

To address this surging threat, Deloitte advises, “CISOs should be given greater authority to influence the lines of business and gather information from across the enterprise.”

“They need to be ready to have open and frank conversations with board members, senior management, and stakeholders.”

With such a significant portfolio to protect, Deaner has been doing just that — engaging with senior business executives that can, she warns, too easily confound the occurrence of a cybersecurity breach with the assumption that the CISO has made a mistake.

This risk means it’s important that CISOs know where to draw the line between advising the business executive, and becoming part of it.

“I worry about getting too involved,” she explained. “The CISO’s job is pretty hard, and having [executives] at the table is very important.”

“But once it crosses more into managing, that’s where we need to be very focused on making sure that there’s the voice, that it’s transparent, and that the CISO isn’t being faulted for something that’s not green [on the security dashboard] because we’re trying to be realistic.”

Similarly, she hopes business managers’ increasing familiarity with cybersecurity risk is helping them be similarly respectful on the other side of the relationship.

“If you realize that [CISOs] have that difficult job, that they are doing what they are supposed to do, and that there isn’t gross negligence going on here, then you start to understand that there are things that have to happen, and maybe a certain level of resources, and even enabling that CISO with some other contacts.”

“When there’s someone on the board with some kind of security background,” Deaner added, “you wind up getting connected to other people who could perhaps help in the journey.”

Shaping the security conversation

As one of just 85 Fortune 500 CISOs who are women — and just one of four women in her freshman-year class of 300 — Deaner knows those connections can be particularly valuable to ensure that boards are exposed to a diversity of voices around cybersecurity risk.

“Sitting in that room with all of those men, I kept asking myself if I belonged there,” she explained. “But I had such a fantastic support group that would tell me constantly that I belonged there… it gave me the ambition to want to prove myself more, by constantly trying to really understand the inner workings [of the business] as much as I can.”

That’s a different approach than that taken by many CISOs, who all too often end up taking a more technologically focused approach to cybersecurity defenses.

This mindset, in turn, has driven the idea that better security comes from spending more and more on new security tools — which explains the ongoing surge in cybersecurity spending that is expected to pass $1.75 trillion through 2025.

“When you actually go through a real cyber incident you are spending a phenomenal amount of time, resources, and definitely money — so it doesn’t surprise me” to hear such large figures around cybersecurity spending, Deaner said.

“The reason we’re seeing such an inflated market [in terms of expenditure] is because some people are catching up” after years of relying on outdated tools she said, “and if you’ve looked at the tool sets that are out there, it feels like there’s a tool for everything.”

Yet it is important for CISOs to avoid focusing on tools too extensively; real success, she said, comes from building “a solid strategy that includes people, process and technology.”

“Don’t just buy a tool and think that it’s going to solve all your problems…. If you balance it out, I think you’ll spend a lot less on cybersecurity.”

– David Braue is an award-winning technology writer based in Melbourne, Australia.

Go here to read all of David’s Cybercrime Magazine articles.

Sponsored by KnowBe4

KnowBe4 is the provider of the world’s largest security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering. We help you address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. Tens of thousands of organizations like yours rely on us to mobilize your end users as your last line of defense.