USI Insurance Services Chief Information Security Officer Peter Rosario shares his tips on putting people at the heart of your security strategy ahead of CISO Champions Online, US
Building a culture of cybersecurity in any organization is a significant challenge. The larger the organization, the more of a challenge it can be to build that culture.
For Peter Rosario, Chief Information Security Officer at USI Insurance Services, building a strong culture of cybersecurity has been a 7-year project.
USI Insurance Services has more than 10,000 staff in over 200 offices across the US, with staff responsible for responding to a wide variety of emergencies, from wildfires in California to flooding in Florida. For Rosario, training them on cybersecurity is just as important as physical security, and even emergency medical training.
And as a member of the Secret Services’ Electronic Crimes Task Force, as well as his regular contact with the cyber divisions of the FBI and the Cybersecurity & Infrastructure Security Agency (CISA), Rosario is well placed to train his teams on the latest cyber threats.
Ahead of appearing at CISO Champions Online, US in October, Rosario shared his tips on putting people at the heart of your security strategy.
Establish Cybersecurity Champions
Despite having a team of more than 180 IT and infrastructure professionals, Rosario’s team can’t be everywhere at once.
For this reason, three years ago Rosario created a pilot safety emergency response team (SERT) for locations in their Midwest region. When an emergency occurs, The SERT is the first point of contact.
The first item on the training agenda? Cybersecurity.
“They need to be aware because they are my champions,” Rosario says. “In those offices, they are the leaders in case something goes wrong. People are turning to them, and I’m going to utilize them to keep promoting that cyber message.
“Tell [the staff] to be aware of ransom attacks, of phishing attacks. We’ve put posters in every office — remind them to look at those posters. If they’ve got questions, send them to the security team, [the staff can] ask them, and ask us.”
The pilot SERT program has been so successful that the model is now being rolled out across USI Insurance Services’ 12 US locations.
Of course, there are many ways to communicate a consistent message on the importance of cybersecurity, from newsletters and posters to phishing campaigns and training. However, to permanently engrain cybersecurity into the business culture there must be a consistent push from all staff, from the top to the bottom of the business.
“Cyber is big in our world,” he says. “Not only do we have the environment, but we push it. And we have to train on it regularly because we want to make sure everyone’s pushing it.
“It’s definitely ingrained in our culture, but it’s taken seven years to get it to that level where people are aware.”
A Top to Bottom Message on Cybersecurity
To ingrain cybersecurity into the DNA of an organization there must be a consistent message coming from the very top of the business to the very bottom, according to Rosario.
“The first champion must be the person in charge. He or she must champion that for you – that sets the tone is set right down through the ranks. It’s critical. You can’t survive without it. Absolutely cannot.
“So, our CEO is one of our champions and whenever he can, he brings up security. When we do monthly or quarterly calls, he will bring cybersecurity up. When a new cyber training is announced, he takes it first.”
While the message from the top sets the tone for the business, it’s just as important to have everyone on board, down to the newest intern, Rosario says.
“There’s not one person that is not significant in that cyber battle. So, you can’t forget that when an intern comes in. Someone might say, ‘oh, it’s just an intern.’ Well, that intern may make us liable. So, we have to make sure that they understand how critical cybersecurity is.”
“We do a lot of training of the staff because it’s critical. They’re the eyes and ears of the security team,” Rosario says.
“It is an annual complete training with 10 monthly modules covering all the main topics of security, awareness, password controls, physical security, clean desks, regulations, all the commonsense stuff that people should know and be aware of.
“And even with the amount of training that we do, it’s still not enough.”