Nick Graf
Director of information security for risk control
CNA
San Francisco

Time at company: 11 years.

Getting my start in the insurance industry: I started at CNA as a college intern, while attending DePaul University in Chicago. I embarked on what I thought would be an 8-week program working in network operations, and I'm still at CNA more than a decade later. After the internship I moved to CNA's information security unit in 2006. We were charged with protecting CNA's data from theft, loss and breach, and would administer firewalls, data leakage protection software and security awareness training — which includes things like identifying phishing or spamming e-mails — for employees, among other responsibilities.

Walking the walk and talking the talk: When we look at our customers, we expect them to perform best practices in data security. As an insurance company, we hold a great deal of information, so we, too, must hold ourselves to that same standard. If a loss or breach of this information occurs, there would be reputational damage and loss of trust from our customers; we recognize this trust is key to our success. We do the things that we ask our customers to do.

Educating insureds on cyber liability: In 2014 my wife received a job offer in San Francisco. I asked my director if there was any other capacity in which I could continue working at CNA, and I found out that CNA's risk control team was looking for someone with my skill set. In transitioning to this role, I still use my information security background, but now apply it to a new set of problems. The Cyber Liability space has changed drastically in the past 15 years, and my role is to help our customers understand their risks and offer them prevention services. This could be implementing a new disaster recovery policy or encrypting their data in a different way.

Hack away: I am a certified ethical hacker. While I was in information security, I assisted with penetration testing, where I essentially hacked systems — within guidelines — to look for vulnerabilities. In risk control, our objective is to educate insureds and offer cyber guidance to help prevent a loss from occurring in the first place. To that end, I've created a risk assessment program that evaluates a customer on 11 different domains of security and provides a report that outlines their score, along with recommendations on areas for improvement. In this role, I use my hacking knowledge from more of a theoretical standpoint and find potential holes or gaps.

NOT FOR REPRINT

© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.