The Hacker Who’s Hard-Wired to Help
Sporting some impressive ink and pierced ears, certified ethical hacker Nick Graf embodies the individualist spirit you might expect from a lot of other IT guys. Graf, however, is also an insurance guy. And he says it’s a role that suits him perfectly.
Graf, who leads Cyber Risk Control for CNA Insurance, says that many of the same things that drew him to a career in information security are in plentiful supply in insurance.
“Information security is, at its core, risk management,” said Graf. “It’s always changing; there are constantly new technologies, new vulnerabilities and exploits. You can understand the industry and your book of business today, and tomorrow it can be drastically different,” said Graf.
“Some might not like the continual shift, but it’s what I like most; I never want to be stagnant. I spend a portion of each day keeping my knowledge current, I love the continual learning.”
Graf, who has an M.S. in network security, was hired directly out of an internship to CNA’s Internal Security team, where he worked on the company’s database security and firewall administration and led the company’s incident response plan. He also assisted with security awareness training for CNA employees.
Five years ago, the Risk Control team needed someone to educate underwriters on cyber risk control topics. Graf decided to give it a go, despite limited knowledge of the commercial insurance industry.
“I didn’t know D&O from E&O.”
But Graf got up to speed quickly, and now works with not just underwriters, but insureds, ensuring they’re prepared to respond if a security incident arises.
“A few months into my role on the CNA Risk Control team, I found myself looking forward to work and finding a great deal of fulfillment in what my role entailed. I was applying my knowledge of security to a new set of problems, not only assisting our customers in their efforts to improve their security programs, but working with underwriting on risk selection, guidelines and educational materials.
“This goes hand in hand with the efforts of the larger insurance industry as a whole,” said Graf. “The industry has helped make cars and workplaces safer, why should cyber be different?”
Despite finding himself in a role he never planned on, Graf is engaged and thriving and has never looked back.
“Five years in, I couldn’t be happier with the direction my career took,” said Graf. “It has made me far more open to seeing where life takes you; you don’t need to plan out every step.”
Graf feels strongly that in order to shift the tides and draw young talent, the industry will need to work on its image problem.
“I think most people believe the insurance industry is boring and not something a person would actively pursue a career in. This is changing somewhat, but I know very few people who studied or majored in insurance in college,” he said.
Opportunities within the industry are plentiful and diverse but hidden, Graf said. The industry has a powerful need for engineers, doctors, dentists, registered nurses and pharmacists to fill loss control roles. But those coming up in engineering and health care fields are rarely aware of those career options.
“There’s a far greater variety of career options within the industry than most people realize,” he said, also noting that the industry’s mission is not being communicated well enough.
“I feel a career in insurance can be far more rewarding then many might think. We as an industry are doing more than simply selling a product, we assist our customers in understanding and planning for the unexpected and are there for them in their time of need.”
Graf expressed concern about whether the industry is recruiting and developing talent fast enough to replace staff retiring in the coming years.
Part of the solution, he said, “is better outreach and marketing of this profession and recruiting. It should start before college and extend to people at all points along their career progression. Working with high schools could increase those seeking related education in college, which could drive more applicants to the field.”
Graf was also frank about how the industry’s relationship with technology continues to negatively impact its image. Young talent has expectations about how it will engage with technology at work. But Graf says the industry remains far too slow in its efforts to get up to speed.
“There are a number of aspects of the commercial insurance industry that have not kept pace with technology,” he said.
“The application filled out by prospect insureds is still largely done on paper (or maybe electronic PDF), but it isn’t being captured directly into a database. The underwriting process is largely driven by spreadsheets, and accessing information on your policy is not possible from a mobile phone app. I know of numerous carriers who are still using mainframe programs that were written 30+ years ago.”
While some may argue that the current system is working “just fine,” Graf believes there is major room for improvement.
“Better technology could make information gathering easier, could give an underwriter the ability to issue a quote sooner, could allow for real-time pricing — if a customer wanted to make a policy adjustment mid-year, it could be done and billed in an instant.
“The industry should be pursuing top tech talent no different than Google or Apple. With talent in place, and being open to change, I believe the industry could transform for the better and have no problem finding qualified applicants.” &