Advice on some of the biggest challenges facing insurance IT executives was offered during a town hall meeting at the recent IASA conference, as an expert panel along with audience members shared guidance on data security, cloud computing, and recruiting and retaining talent.

The panel, which was moderated by Rod Travers, EVP at management consulting firm Nolan Co., included GPM Life IT director Gregory Lawler, Agile Technologies’ partner John Johansen, former insurer IT exec and now Smart Design managing director Anil Chacko, and Travelers VP Douglas Ramsey.

One of the first topics the group tackled was security. As Nolan pointed out, in an ultra-connected world, the risks continue to rise.

Insurance IT executives, however, face some industry-specific obstacles to building a solid data defense. For instance, carrier tech execs need to overcome the nature of the insurance business itself, according to consultant Chacko. Insurance is heavily regulated and CEOs often think that if their company is in compliance with current security regulations, their work is done and their companies are safe. Their thinking is “we’re secure, let’s move on” to other business, he said. But, of course, just because a firm is in compliance doesn’t mean it’s taken every step it can to safeguard its information assets, Chacko said.

Another challenge, said GPM Life’s Lawler, is that companies put a lot of time, effort and money into guarding against outside threats, when oftentimes the threat lies inside the company.

And there’s also the cultural challenges, said Johansen. When walking into a new client’s business, he said a consultant can often tell which organizations are very security focused and which ones aren’t. For instance, he said he has a client that doesn’t allow laptops to be stored at work. The company has determined that if someone breaks in and steals its laptops, there’s a good chance the thief is after sensitive data. However, if a laptop is stolen from an employee’s home, it believes the crook isn’t interested in corporate information.

So, how can insurers better protect themselves?

One member of the audience said companies need to do a better job with basic blocking and tackling, such as deploying the right security tools. This includes intrusion detection and data leak protection. “You have to monitor what’s coming in. But you also have to monitor what’s going out,” he said.

Chacko added that companies need to have the right security policies in place – and to hold people accountable when something goes wrong.

Another audience member asked where the buck stops when it comes to data security; with the board and CEO, Chacko said. It’s their job to make sure everything is protected. But, as Traveler’s Ramsey said, if something does happen, the CIO always pays for it.

As Nolan noted, however, when it comes to security, “there is no silver bullet.”

The topic then switched to cloud computing, with the first question being what a hosted environment should be used for and what it shouldn’t.

There was quick discussion on why policy administration systems are probably too heavy a lift to be put into the cloud and agreement that, as demonstrated by customer relationship management and payroll applications, there are plenty of other uses of the cloud that have a proven track record of providing computing efficiencies.

The issue of public versus private clouds was then raised. Both public and private clouds enable companies to access applications over the Internet, but, with a private cloud, the applications’ servers aren’t shared with other parties. In addition, the applications usually reside on virtualized servers, allowing the owner to add or reduce capacity as needed.

Big companies want to use a private cloud for the flexibility it offers, said consultant Johansen, while small and midsize companies, he said, see public clouds as an option, but not for sensitive data.

The cloud discussion then turned to data governance. An audience member asked if a separate governance program was needed for the cloud. Johansen said if an organization has a mature governance model, it’s probably in pretty good shape.

Nolan than switched the topic to recruiting.

He cited a McKinsey & Co. report released earlier this year that listed where the consultancy saw the most pressing IT talent needs, the top five of which were skills in analytics and data science, joint business and IT expertise, mobile or online development, enterprise application architecture, and cloud and distributed computing.

Insurers are competing with many other industries for people with those competencies.

Travelers’ Ramsey offered that to attract talent, insurers need to be mindful of the employee experience. It’s important to get an “end-to-end talent engine going,” and that includes good on-boarding, good coaching, and meeting employee needs. And, he said, companies have to be ready for young employees to leave.

Chacko mentioned that, during interviews, job applicants are often asked where they see themselves in five years. But, he said, does the company have a plan for them? Where does the employer expect the new hires to be in five years and how is it going to get them there. Having such a plan, he said, helps retain people.

One audience member worked at a company that made sure new people knew they had a growth path. The company emphasized training and had a talent identification process – everyone was evaluated with the intent to promote them up through the organization.

One audience member at a small insurer said he has an intern program that works. He said he pays interns well and gives them interesting work. He said many interns then want full-time jobs, and he’s in a position to cherry pick the best. He also said he’s had success finding experienced people by “paying them what they’re worth.”

An audience member added that for some experienced people, lifestyle is important. Sometimes people want to work from home. Or they want to be able to participate in activities outside of work. Silicon Valley firms might be attractive, but they also might want people to work 14 hours a day. The audience member said it might be attractive for someone to know that, while they’re expected to get the job done, extreme hours aren’t required. 

Originally published by Insurance Networking News.