How an Insurance Company Uses an MDR to Elevate the Effectiveness of Cybersecurity Teams

Mark Strosahl
Chief Information Security Officer at Penn Mutual Life Insurance

Today’s CISOs shouldn’t be content with being technical specialists in cybersecurity. Instead, we must be program managers, people developers, relationship builders, culture leaders, risk managers, strategists, and growth-oriented industry luminaries.

That would’ve been unimaginable to me at the start of my career. I started as a systems architect and only ventured into information security about eight years ago. I spent 15 years at a Fortune 250 company, starting as an analyst and eventually becoming a business information security officer (BISO). I was among the first in the security industry to occupy this forward-thinking role that bridged the gap between our CISO and our business units. That experience has shaped my career ever since.

Security is a complex and evolving topic, and there is no finish line. You’re never done learning, and you never know if you’re good enough. You’re always susceptible to a breach, and because things are never black and white, you must learn to live in the gray. The art to building a security program is understanding what your business needs to succeed in that space and rising to the challenge.

I joined Penn Mutual in 2022 as the company’s CISO. Founded in 1847, we currently employ over 3,100 employees, with $3.7 billion in revenues and $36.7 billion in assets. We were well established with sound security controls, but due to the evolving landscape, needed to mature our security strategy.

Today’s CISOs aren’t content with being technical specialists in cybersecurity. Instead, they must be program managers, people developers, relationship builders, culture leaders, risk managers, strategists, and growth-oriented industry luminaries.

I was a new CISO, so while I had the conceptual knowledge and implementation experience to build a new program, I didn’t yet have deep knowledge of our security controls, business, or people. So I had to fall back on the skills that got me to that point in my career.

Part of the reason I landed a BISO role was because of my background in IT architecture. That education gave me the big-picture thinking skills required for a job in security, where you have to be consciously thinking about a lot all at once. By the time I became a CISO, I knew I wanted to avoid a common mistake many CISOs make: Instead of spending time developing technical controls, implementing tools, and configuring everything myself, I wanted to build a team that would handle the details and validate our internal efforts so I could focus on strategy, including an overview of our cybersecurity posture.

The situation in front of me was the opportunity to improve collaboration and obtain more strategic guidance by building the connective tissue to stitch everything together.

Cybersecurity requires flexibility. There is no one-size-fits-all approach, and that’s partly why finding a balanced security approach is more art than science. Companies have wildly divergent cultures, and with security touching every part of an organization, CISOs must adapt information security policies and programs that integrate seamlessly with other operational tendencies. For example, insurance and financial services companies have to adhere to regulations and legislation specific to the financial industry, to further reduce risk.

Cybersecurity requires flexibility. There is no one-size-fits-all approach, and that’s partly why finding a balanced security approach is more art than science.

When I started building our security program, I wanted to keep most of our existing tools and policies in place. Our team did a great job managing our existing controls, but it’s a big undertaking to identify high-priority risks within our SIEM (security information and event management). SIEMs are traditionally noisy, expensive, and difficult to configure, and for us, the better choice to offset that burden was to work with a Managed Detection and Response (MDR) provider like Expel who integrates with the technology we already had. Effective MDRs sift through billions of alerts and only flag the most pressing threats by monitoring our existing technology stack around the clock. They focus on outcomes, not just alerts, and can escalate the right issues to our security team, which is incredibly valuable.

Easy integration with our technology stack and optimized alerts weren’t my only concerns. I also wanted to partner with a company that could inspire confidence and offer transparency in the off-hours. Specifically, I didn’t want my support teams waking up in the middle of the night because only they could handle an alert. I wanted a vendor who would triage events, handle the small stuff, and only call us if an issue exceeded their expertise or access level.

I focused on developing my skills so that I understood the business needs and capabilities of my team. I was confident in their abilities and knew the right tooling would provide opportunities to evaluate the effectiveness of our new program. An MDR would enable the team to do their best work and focus on high-priority risks.

The best way to communicate the technical security landscape—and cut through the regulatory noise—is by using analogies. I must accurately detail a mature information security program to third parties and customers, demonstrating compliance without divulging too much about our defenses, which (in the wrong hands) might give bad actors indicators of our systems.

The landscape is incredibly complex, and you can’t necessarily sprinkle acronyms like “MDR” in conversations with non-security teams. You have to say, “When things go bump in the night, I have a team of people who respond to alerts 24/7/365.” Everyone understands the value of that. The more I can use simple, non-technical terms to explain our security program to our leadership team, regulators, investors, and other stakeholders, the more confident they are that Penn Mutual is adequately protected.

When you have a highly-skilled team, the best way to lead is to empower them with the right tools, reduce the noise to make their job easier, and then stay out of their way.

As a CISO and a team leader, I’m a strong believer in finding smart people and putting them in the best position to succeed. When you have a highly skilled team, the best way to lead is to empower them with the right tools, reduce the noise to make their job easier, and then stay out of their way. An MDR can work alongside an internal team, becoming a trusted partner who speaks our language and allows us to focus on securing our infrastructure instead of chasing after the small stuff. Expel has become that extension of our team, making my team’s job easier. They can pull details on investigations and alerts to help us better respond when regulators and executives come calling.

Expel MDR became that connective tissue we craved, and with it, we created a three-part modern security strategy:

1. Threat detection and response is fundamental. Picking the right MDR provider helped us maximize our security tools, which was especially important because he didn’t want to replace any tech
2. We have a newfound sense of transparency and visibility. Our MDR offers a single pane of glass to view timestamps, IP addresses, access logs, and other information from everyone who worked on an issue, providing near-forensic data quality when creating incident reports. Detailed data means no one has to dig through email chains, call transcripts, or incident notes to determine what happened, and it’s all in one place, in a format that’s easy to understand.
3. Using an MDR allows us to better allocate our resources, and our team can focus on the other parts of the security strategy that were critical for success, like compliance and governance.

In 2023, I created an information security dashboard that takes a snapshot of the last 90 days of security incidents. It includes data from an external partner who rates the security posture of our different websites. It also details how many events triggered reviews, whether they were automatically or manually investigated, and whether they led to security incidents. What it’s telling us is that our security operations are working the way we need them to, plain and simple.

I love my work and am simultaneously excited and worried about how it’s always changing. The threat landscape is constantly evolving, and because there’s no finish line, we can never stop learning or growing. Look at Artificial intelligence (AI), another emerging challenge. In a year or two, we might find ourselves dealing with fake data and false positives, taking us down a rabbit hole of non-existent problems.

Well-rounded security doesn’t require an all-or-nothing approach; it means meeting or exceeding regulatory and industry standards while reasonably reducing risks.

Well-rounded security doesn’t require an all-or-nothing approach; it means meeting or exceeding regulatory and industry standards while reasonably reducing risks. By 2028, enterprise spend on battling misinformation will surpass $30 billion, according to Gartner’s Top Strategic Predictions for 2024 and Beyond. These expected funds will eat into marketing and cybersecurity budgets and will force regulators and security management experts to rethink how to secure their assets.

The best way to stay ahead of potential threats is to periodically review and adjust your information security strategy. It may not require significant changes—just tweak what’s working, eliminate what’s not, and make additions and adjustments to give your team wide coverage. And while today’s CISOs have to be much more than technical specialists, we shouldn’t have to be everything else on our own. MDRs should be a big piece of any modern CISO’s strategy, as they play a massive role in making any layered security defense as secure as possible.