FotolEdhar - Fotolia
Published: 01 Dec 2017
Named after a stream on a Tennessee farm, Duck Creek Technologies provides on-premises and cloud software for the property and casualty insurance industry. In August 2017, John Germain joined the 17-year-old company to serve as its first CISO. The information security veteran is charged with leading the overall strategy, direction and management of Duck Creek's security programs and cyber protection initiatives as the Boston-based company continues to grow and expand into global markets. (Accenture acquired Duck Creek in 2011 and sold the majority stake in the company to global private equity firm Apax Partners last year.) Duck Creek continues to partner with Accenture, integrating the consulting firm's big data analytics, internet of things (IoT) and other emerging technologies into its property and casualty platforms.
Germain got his introduction to cybersecurity as a network administrator for a manufacturer in the 1990s, when the Melissa virus struck. Like with most companies at the time, protections at the firm were rudimentary: a firewall with simple packet filtering. "Melissa hit, and all hell broke loose," he recalled. The experience got him hooked on the challenge of preventing and ameliorating cyberattacks, at a time when information security wasn't really a defined career path. Later, Germain was the vice president of infrastructure and security services at American water technology provider Xylem Inc., a spinoff of ITT. "My passion was on the security side, but they needed me in the CIO role, too," he said. During his 14 years at ITT, he served as the director of IT security. Having focused on both the security side and the "get business done" side, Germain said he feels well-equipped to help organizations determine their appropriate risk profile, a skill he now uses at Duck Creek Technologies.
What is your vision for security at Duck Creek as you begin your new CISO position?
John Germain: I have a good idea of what needs the most attention. Since I have gone through this before, I usually start with the 100-day plan, the one-year plan and my multiyear plan. I have that plan ready, and I work with leadership to focus on those areas here. The energy and passion here is incredible, and people have a bold vision about what they want to do. Everyone has been very receptive to me coming on board and taking on the CISO position. We want to make sure we do the right thing on behalf of the customers, always exceeding their expectations, and I want to get us there. We have a great program in place that needs care and feeding and continuous improvement to mature it. I will be there to make sure we do that and follow the right frameworks. I want to really establish a culture at Duck Creek where everyone in the organization understands their role in terms of providing security for customers, and that security becomes part of the everyday approach to business.
What, if anything, makes security around insurance IT different from that of other industries -- are there really any inherent differences?
Germain: When you look at who will benefit most, you get an idea of what type of attackers might be targeting us. From an attacker perspective, you have to ask who gains the most from attacking either Duck Creek or one of our customers. That helps in understanding our risk profile.
In terms of what we do, our larger risks are around protecting personally identifiable information data; that's going to be one of the bigger targets for us. We have established some capabilities for keeping an eye on potential attackers. But if you have vulnerable systems and they can steal someone's credentials, they will. … So it is important that you not present an attack surface people will want to take advantage of. Once attackers are in, there is so much they can do to leverage that. The range of potential damage is incredible.
John GermainCISO, Duck Creek Technologies
How does Duck Creek work with other organizations to help ensure security and preserve data privacy?
Germain: The insurance industry is relatively new to me. My background in the CISO position was in manufacturing and some services. This is something I am coming up to speed on, to understand where to get the best bang for the buck around intelligence and risk. … My hope is to become part of those discussions and go to [insurance industry] summits and seminars and talk to their leaders about their concerns. I want to understand their pain points, what is driving them to use Duck Creek and what their expectations are.
Aside from that, I have a relationship with the FBI InfraGard program. They are helpful in understanding a lot of the emerging threats. We are looking to become a member of the Financial Services Information Sharing and Analysis Center so that we can get information related to the industry faster. There are always some gaps a company has to be aware of.
How has the proliferation of IoT and smart devices left the insurance industry vulnerable?
Germain: Unfortunately, there is some real risk there, and to a large extent those risks aren't well-understood. All these new IoT technologies are coming out so fast, the use cases are exploding. There have already been major examples of connected, unsecured devices being harnessed for massive distributed denial-of-service attacks. Critical infrastructure, including electrical grid and communications systems, are on the internet along with baby monitors, DVRs, security cameras and other consumer devices.
So far, even the largest hacks have not led to widespread chaos, but all of these devices could be compromised, which could have huge implications for those who insure others. At my last company, we were plugging smart meters into people's homes by the tens of millions. What if that gets compromised? The results could be as benign as shutting off someone's water service, or it could be overloading an electrical system and causing a fire.
With IoT devices ranging from baby monitors to cameras to infrastructure, I have to assume that there could be a lot of liability if the devices are not well-protected or are used to compromise someone's life or maybe used in an attack against an organization. I'm not sure, but I'm guessing insurance companies are thinking a lot about that. Perhaps the insurance companies can be part of driving improved security.
How does cybersecurity insurance fit into an infosec program?
What CISOs need to know about disruptive technology trends
Low bar set with IoT Cybersecurity Improvement Act