As it turns out, Chief Information Security Officers are just like the rest of us. They, too, must advise their parents not to click on sketchy emails.
“Believe me, I have to talk to my dad and family members all the time,” said Laura Deaner, vice president and CISO of Northwestern Mutual.
It’s worth noting that Deaner’s father is no slouch when it comes to security. He worked in the U.S. Navy on encryption methods that you’d find today in the National Cryptologic Museum. In fact, his work is what inspired Deaner’s early interest in technology and cybersecurity. “He always encouraged me to tinker. It sparked a constant need to understand how computers and encryption worked,” Deaner said.
Stirred by her father’s career, Deaner pursued this passion across her academic and professional life to land as a CISO at the forefront of information security strategy for a Fortune 100 financial services company.
The field has changed dramatically in the decades since her father was active, and cybersecurity attacks are rapidly becoming more sophisticated with technology. Today, even the most advanced tech users have had to second-guess their judgment. In Deaner’s work for Northwestern Mutual, the battlefield is more complex and the stakes are much higher than they are for individual recipients of sketchy emails.
The finance and banking industries were the target of an average of 703 cybersecurity attacks per week in 2021, an increase of 53 percent over the previous year, according to research from Check Point. Additionally, the Financial Services Information Sharing and Analysis Center, an industry consortium, escalated its cybersecurity threat level an unprecedented three times in 2021.
The finance and banking industries were the target of an average of 703 cybersecurity attacks per week in 2021.”
According to the Federal Bureau of Investigation’s Internet Crime Compliance Center annual report, 2021 was a year of record-breaking cybersecurity complaints. The IC3 logged a 7 percent increase in complaints from 2020, with potential losses exceeding $6.9 billion. With so much riding on CISOs, there is a lot of pressure — particularly in industries of critical infrastructure such as finance — to be ten steps ahead of security threats.
“If you’ve been reading the headlines, it’s never been more important for companies to have a rigorous security process in place to mitigate risks and challenges,” said Deaner. “The external environment is increasingly complicated because of the sophistication of the threat landscape. It’s constantly changing.”
Currently, phishing still plays a dominant role in attacks. Twenty-four percent of FS-ISAC member-reported incidents start with an employee falling victim to phishing. Plus, ransomware is an ongoing factor in cybercrime, with global operators engaging in a game of “whack-a-mole” with law enforcement: popping up, shutting down, collaborating and moving constantly.
“This year, the reach of ransomware has increased exponentially from last year,” Deaner said. “So many companies are getting breached through ransomware, and every single year, those actors change. You have to keep up with that pace of change.”
What is a CISO to do?
The First Line of Defense
Deaner is leading the charge on a companywide cyber transformation program at Northwestern Mutual. “We’ve made huge strategic investments,” she said. “It’s a phenomenal time of transformation in terms of strategic initiatives in cybersecurity.”
The program kicked off earlier this year. For obvious reasons, Deaner can’t publicize the details but shared that it has been a resounding success. “It’s a huge win, and it’s a big deal for a cybersecurity person to get the entire company to make this a top priority,” she said. “It’s a long-term initiative in response to continually evolving external threats.”
It’s a big deal for a cybersecurity person to get the entire company to make this a top priority.”
What Deaner can say is that the crux of this transformation hinges on establishing a “security culture” where awareness is engrained in behaviors across the organization, from employees to financial advisors to its 5 million clients. These practices help keep data safe and secure. “People are the first line of defense when it comes to these threats. We want consistently demonstrated behavior that protects our systems and programs,” said Deaner.
In sports, teams often study their rivals and run simulations in practice. These days, financial firms are following suit. Phishing simulations are one of the ways that Deaner’s team is cultivating better habits, since phishing is still a primary attack vector. It’s a strategy that has caught on with CISOs in the past few years.
“It was controversial when it started, but then you saw people spotting real phishing attempts because they were learning from simulations,” said Deaner. “That is a perfect example of security culture. In a simulation, if someone clicks the fake phishing link, there is immediate feedback and education about what the user should have been looking for. If they report it, they can get an internet high five. We are embedding these experiences into our daily life.”
Deaner is realistic and understands that there will always be cybersecurity risks at every single company, no matter how diligent they are. “Even the most secure companies have cyber risk. If we run a simulation on a regular cadence, we’re expecting to see most people mature over time. We have lots of metrics we’re tracking.” The goal is constant progress, with yearly benchmarks, on the way to fulfilling the company objectives.
“Our mission is to protect our clients and maintain their trust by delivering world-class cybersecurity and risk management services,” Deaner added. “Innovation is important to me as a technologist, but being world-class is important because our adversaries are all over the globe.”
Northwestern Mutual uses a number of tools to support its mission. For one, the company leverages a National Institute of Standards and Technologies Cybersecurity Framework to measure its cybersecurity and IT risk management program over time. The organization also leans on its membership with FS-ISAC to stay tapped into world events that can impact cybersecurity risk.
Underneath all of these tools, innovation is at the heart of cybersecurity strategy. Adversaries are coming up with creative new attacks all the time. Deaner finds it thrilling to be at the forefront of technology shaping the way tech is used. However, she is also focused on ensuring that the solutions match customers’ risk tolerance. “We have technologists and risk managers to keep us balanced,” she said.
Professional Development Opportunities
A Cybersecurity JEDI
Deaner’s experience as an immigrant has ignited a passion for her work with Northwestern Mutual. Her family moved to the United States from Morocco when she was very young.
“We didn’t have a lot,” she said. “One vivid memory I have is my parents stressing over finances. They could have used an expert to help them with their financial plan. That’s what I love about Northwestern Mutual: We’re here to relieve that financial pressure.”
Deaner put herself through college, obtaining a computer science degree from Old Dominion University in Virginia, with a minor in engineering. “I was one of about five women in a class of about 300 students. I knew every woman in the class, but I just didn’t feel like I belonged.”
Deaner was discouraged at times but persevered with the support of her family and friends. She got a break in 2000 working a night shift job in a security operation center for a financial services company. She rode out Y2K and the dot-com bubble burst and said that every time she looked for an opportunity after that, it was there.
Today, after two decades of climbing up the ladder in financial services, Deaner’s perspective has translated into a passion for justice, equity, diversity and inclusion as she leads Northwestern Mutual forward. Plus, she enjoys the acronym, JEDI.
“JEDI is extremely important to me, not just because I’m a diverse woman but because it’s important to our industry. We have a low number of women in technology and cybersecurity,” Deaner said.
Deaner’s Advice to Women in Tech
Want To Have Fun?
Security culture isn’t the buttoned-up, suspicious atmosphere it might sound like. At Northwestern Mutual, it’s actually pretty fun. In her two-decade career, Deaner has never seen anything like it.
“If we’re having a bad day — say a control isn’t working properly — we work through it together. That’s what makes us unique. We have an amazing culture to enable us to perform a very serious duty and enjoy it. I find that unique about Northwestern Mutual.”
We have an amazing culture to enable us, from the cybersecurity perspective, to perform a very serious duty and enjoy it.”
Deaner cites the culture as one of the reasons she is sticking around. Deaner has been at Northwestern Mutual for 19 months and counting. She’s found an inclusive community of passionate security professionals who care about helping Americans feel good about their financial plans and feel good about their contributions.
“We’re embarking on some great innovations,” Deaner said. “We’re well positioned to compete from a Fortune 100 perspective, with any other fintech or financial services company in terms of our culture, technology and cybersecurity services. So, for job seekers, I’d ask: Do you want to come have fun?”
What makes cybersecurity such an exciting field?