Thought Provoking Leaders
Chief Information Security Officer
The Hanover Insurance Group
“Success in transforming your security programs cannot be all about the security aspects, it's about business engagement and the leadership approach.”
We were interested in speaking with Danielle Goulet, Vice President, Chief Information Security Officer at The Hanover Insurance Group about her experience transforming their information security program. Learn how Danielle’s leadership has helped modernize information security at The Hanover.
The Hanover is a leading property and casualty insurance company offering a broad portfolio of tailored coverage solutions for personal, commercial and specialty customers. The Hanover is a Fortune 1000® company, with nationally recognized claims service and proactive risk management expertise. The company’s financial strength has earned it high marks from key industry analysts, including an “A” rating (Excellent) by A.M. Best Company.
Hybrid Pathways partners with Trinity College to help develop their cybersecurity education program and promote diversity in the industry. A recent Trinity graduate and employee at Hybrid Pathways was inspired by Danielle’s leadership experience and asked Danielle to share some advice for young professionals getting started in security.
Read Danielle’s tips for developing technical and leadership skills for young professionals at the end of this interview.
What was the starting point for your program transformation journey?
We set 5 strategic imperatives which aligned to our vision and mission:
Evolve to a risk informed security culture
Identify and protect information assets
Align security operations to the industry
Transform identity and access management
Enable the business to transform securely
The importance of evolving to a risk informed security culture
There is often a perception that security is something done to people. Security is still developing into a true partnership within the business. One goal was to be viewed as true partners to enable the company to meet its goals. We respect that we are in business to be the carrier of choice for independent agents and brokers. As we thought about the security program, the more we could do to enable the business goals and implement solutions that were low friction and low touch, the better off we would be.
Partnering with the business is imperative. There is a lot of institutional knowledge that will be helpful in your security transformation journey. Ask a lot of questions and listen to your teams and the business to understand what they have tried before and what may be needed going forward.
I was surprised at how quickly people were willing to lean in and partner. Though significant security incidents are rare, it is important that everyone leans in to resolve them. The business was willing to come to the table and help us to understand the context and rich history, which helps us resolve issues more effectively.
The support from the Board of Directors and our executive leaders was astounding. I remember being here for two weeks and having the opportunity to present to our audit committee, a committee of our Board of Directors, for the first time. They immediately helped me to understand how important cybersecurity was to the organization.
A challenge in evolving to a risk informed security culture is getting the security and technology teams to work more closely together.
We have flipped the narrative and rather than push security onto the organization, we drew them in. One of the successes that we had in establishing a robust application security program was to create security champions. This is a group of individuals who are part of our business aligned software development teams and are trained in the practices of threat modeling, static analysis, and software composition analysis and remediation. We drew in trusted leaders from the organization and enabled them to lead the security function from within application development. Rather than feeling like security is happening to or around you, it becomes a more natural part of what you do. Our goal was to embed security by design, and it boiled down to developing trust and a common language across teams.
We needed to be thoughtful about the approach to bringing security to the organization. We prioritized areas of opportunity where security could lean in and deliver value to the business.
Be sure to have a clear picture of your technology landscape and what the business strategy is. This is crucial to help you identify the risks to best define the policies, standards, and controls that you need to have in place. Adhering to a framework is critical so that you can make effective decisions and measure your outcomes.
Aligning security operations to the insurance industry
There were opportunities to help the security team to grow, develop, and mature. At the time, we had limited outside influence on our security program such as FS-ISAC (Financial Services Information Sharing & Analysis Center) or an MSSP (Managed Security Services Provider). We wanted to evolve key processes and technology, so we looked outside and sought input from the likes of boutique security services to a large scale MSSP. We became members of the FS-ISAC for intelligence gathering, communities of interest, and research and development. We spent time making sure that we had our core technologies up, running, and healthy from an engineering perspective. We had a lot of tools already in our portfolio, but some weren't implemented to the fullest degree. We developed a capability map to understand all our processes and technologies; what value they could bring, the implementation and engineering status, and where each tool was in the technology lifecycle. This capability map continues to be used to support our planning and decision-making including rationalization of spend and categorization of emerging vendor products. I appreciate that we can regularly monitor where we are at and ensure we are getting the most from the company’s investments.
Enable the business to transform securely
The pandemic encouraged us to quickly pivot our employees, and contractors to remote work. Since this was not a customary practice for our company, we had to figure things out as we went. We had to grow our team by almost 200% and simultaneously build strong relationships across the business without the benefit of working physically together. Where in the past we would have stopped by someone’s desk to have a connect, we now had to figure out how to connect new and existing employees in a remote environment to foster collaboration and deepen existing relationships.
Within the first year that I was with the company, one of the roles we created in information security was security advisor - it's like a business information security officer role. The purpose of that role is really to interact with the business, understand the business itself, understand the data being handled and the technology that supports their processes. This role is the bridge between business and security and encourages knowledge to flow in both directions. The goal was to identify what the business wants and needs to do, what are the potential security risks, and how security can support the business objectives.
Identify and protect information assets
We revised policy around data, data protection, data classification, data labeling, appropriate handling of data and then introduced technology around all of those. We worked in parallel with the emergence of our enterprise data office as well as our data governance program. I think having all those functions aligned has been crucial to our success.
Transforming Identity and Access Management
Previously, maintaining firewalls, routers and existing networks worked to manage access, but the pandemic escalated the need for technical and security innovations beyond this. We had to be agile and innovative to develop ways to get over hurdles much more quickly. The scope of our transformation in this space has been significant. We focused on a full capability map, formal blueprinting with enterprise architecture to identify the target state and a roadmap to cover workforce, agents, and consumers. We’ve factored digital experience, cost management and cyber resilience into the plan.
Successful security transformation is about leadership
Success in transforming your security programs is partially about the security aspects, and the other part is about the leadership approach and communicating in terms stakeholders can understand. I think that strong security programs are driven by good risk managers, strong communicators, and inclusive leaders. It's around building a shared vision and providing the frameworks for the business to fully embrace security. It is important to know when and where to lean in and when to build up the teams and give them the latitude to make decisions.
Has your strategy changed in the past 4 years?
I can map out where we need to be in 1, 3, 5 years from now and I can guarantee that every single one of those end states is going to change based on new threat activity, people, process, company culture, risk management approach and emerging technology. The pandemic threw many curveballs at us from a security perspective which called on us to be fluid in our approach to security strategy. Having a myopic view of the end state goal is a hinderance rather than a benefit. We review our cyber risks regularly and use them as an input to formal roadmap revisions.
In the past four years, when we created our roadmaps, we aligned with the dual horizons of our business and technology strategies. We want to double-down in certain areas to ensure we have strong operational effectiveness. We set our eyes on the new emerging technologies and understand how to secure them to benefit the business through strong collaboration with our innovation teams.
We make sure that we are methodical and thoughtful but we want to enable the business so they can move as fast as they need to – securely.
Iryna Onyshko is a recent graduate of Trinity College with a degree in Computer Science. She joined Hybrid Pathways and was excited to seek advice from Danielle as a woman in this field. Danielle’s experience and advice applies to all security professionals, and we wanted to share her guidance to help anyone interested in growing into security leadership roles.
Advice for growing into security leadership roles
My career did not start in technology, my career started in group life claims. I was always interested in the technological solutions that were being created and developed to support the business. My jump from the business into technology was through a business analyst role when I worked for another insurance company. From there Sarbanes-Oxley came along, the concept of IT general controls happened, and I took a role in what was called IT Compliance at the time. This role focused on technology remediation, things like access control and balancing controls job processing, etc. At this juncture the Office of the Comptroller of Currency was focused on building better oversight and due diligence of our third parties, so I went from IT compliance to third party security assessments and helped to transform that program with a prior employer.
If you had told me when I was 25 years old that I would be in the security field, I would have thought that you were crazy, but I think it has served me well and it's something that I have learned over time. One, you must have a passion for it, and two, it takes great integrity.
The investments that are being made by schools to focus on science, technology, engineering, and math for children at an early age will help build confidence in a wide range of future security professionals. This gives people more hands-on experience to become comfortable in the field.
I have had many mentees at various stages in their professional journeys. Each of my mentees has a distinct set of needs based on their personal development. They may need to build confidence, see their strengths and areas for development more clearly, learn how to look at problems or opportunities in pieces, or develop a specific technical skill.
I have personally employed the following tips to help evolve my career:
Learn from a mentor
Pick a mentor based on what you want/need to learn. You should pick your mentor (most potential mentors will lean in and say “yes” to your request). Know yourself, know what you're looking to get out of a mentorship and drive the conversations with your mentor. In my career there have been coaches that have been focused on leadership and others that focused on a technical skill set. I've selected each mentor for specific reasons and purposes. Sometimes you just need a mentor that can be a great thought partner. You shouldn’t have just one mentor because you get such great value from having a diverse set of perspectives and inputs into your growth and development. Pay mentorship forward. Mentors invest time in your development, the best thing you can do is invest in mentoring others, imparting your knowledge.
I am an early riser by nature, and besides catching up on the news, my morning routine is generally reading about relevant security topics. Currently I’m reading more about the Mitre cyber security governance because I am trying to think a little bit broader about how we do cyber governance. It’s important to be current on the basics including threats, risks, recent news then learn something new on a regular basis. It keeps you fresh, keeps you growing as an individual. Books I’ve recently read are The 5:00 a.m. Club and Rise for personal development and The Power of Positive Coaching, for leadership skills and Accelerate, for skills in organizational transformation.
Master your response
If it won’t matter in five years don’t spend more than five minutes being upset by it (from The Power of Positive Coaching). In a security role, you may be met with pushback or an unfavorable response. This tip is around making sure that you're rising above the friction. You are going to have unhappy stakeholders and people are not going to like you at times. When you have applied a balanced approach to managing risk and leveraged your integrity in the decisions that you make, move forward, and don’t dwell on the negative. Don’t stand on the wall for something that’s not going to matter at the end of the day. Make the decision for things that you are going to stand on the wall for wisely and you’ll be more respected for it.
Tap into your integrity
The decisions you make are impactful. You must be deliberate, thoughtful, rely on your personal integrity and call on your team to ensure you’ve looked at all possible outcomes.
Develop your team
Invest in the development of your team because they are your biggest allies, you rely on their skills in a crisis, and you want them to be at the top of their game in this industry.
We are grateful to work closely with these thought leaders. Sharing our experiences helps everyone to grow.