End-to-End Cybersecurity Q&A with Davison Paull and Mike Maletsky
We sat down with experts Davison Paull from Dashlane and Mike Maletsky from Embroker to hear all about their cybersecurity career journeys. Read on to learn about how they got into the industry, their major aha! moments, and the shifts they’re seeing in security and cyber threats for both people and organizations.
Q: How did you get your start in cybersecurity/tech?
MM: My background has always been on the underwriting side of the house, with a focus on Management & Professional Liability. Over the past six years, I have been involved in the intersection of technology and underwriting these lines of insurance through digital products and platforms. Joining an Insurtech like Embroker in early 2022 was a natural move to focus more on the tech aspect of Insurtech.
DP: My entire legal career has been spent in the broader technology space, but I really only got seriously involved with cybersecurity upon joining Dashlane in 2018. You can’t provide effective legal counsel without knowing your client’s (or clients’) business, so my deep education started then, and I find the technology to be pretty close to magic at times.
MM: My aha moment was when I realized that awareness is the most powerful tool a company has. Some cybersecurity breaches are like the movies where the bad guy “hacks the mainframe,” but most are due to employees' guards being down, even for just a second. A recent report published by my company, Embroker, found that in 2022, 50% of surveyed entrepreneurs said that they thought their insurance policies would only partially cover them in the event of a breach. 27% said the same the year before.
Concern is growing, and the power of employees looking at emails or other vectors of risk through a cybersecurity lens, or with an underwriter’s eye, is the best possible defense a company can have.
DP: Realizing that you can’t be secure without the risk of loss. By which I mean, if the user is the only person who has the ability to access their data on a system like a password manager, whether through biometrics, a master password, or otherwise, that is massively more secure than a system that has a “backdoor” or other means that allows someone else to restore that data if the user credentials are lost. On the other hand, there are many situations where the operational risk of losing data outweighs the need for maximum technical security. Balancing those demands is critical in an effective cybersecurity offering.
MM: Is this covered? That is the number one question I get when it comes to insurance in general. The answer, most of the time, is it depends. You need to ask the five W’s, (what, when, where, who, and why) and then line up the exact situation to the policy terms and conditions, which can be very confusing. Was there a breach in your system or the system of a vendor you use? Was it caused by your error or theirs? That’s where insurance professionals like myself, and insurtechs like Embroker, come in. We help assess your business’ vulnerabilities, and craft a policy that fits your needs today and in the future.
DP: How does zero knowledge work? How can a company that stores my passwords not be able to see them? To be fair, in my capacity as the lawyer, I am not asked this directly too often, but it so often underlies questions that our clients and users have, and I spend a lot of time explaining how this architectural fact underpins a lot of the positions we take in our agreements.
Q: What is the most alarming statistic you have seen that should make people care more about the future of cybersecurity?
MM: In Embroker’s 2022 Cyber Risk survey, we found that 68% of founders surveyed had experienced a cyber attack on one of their businesses. But, interestingly enough, 50% of those also felt that their current insurance policies would only partially cover them in the event of an attack or breach. These findings showed me how quickly technology moves, as well as the need for end-to-end cybersecurity protection. Having insurance alone won’t solve all of your problems, nor will having only cybersecurity tools and technologies. These must work together to cover every cyber risk vector for businesses of all sizes.
DP: That a majority of security breaches at organizations occur because a single person’s weak password was exploited. Given the distributed nature of both work and operational infrastructure (think of how many SaaS tools your organization uses), there really is no perimeter in the traditional IT hardware security sense anymore in most organizations. The interface of every user with every tool is a point of risk, and the most cost-effective way to limit that risk is to secure that interface by ensuring credentials are unique, robust, and secured.
Q: How are you contributing to "demystifying" the cybersecurity field?
MM: Cyber risk is highly misunderstood. Like many concerning things in the world today, it can easily fall out of mind because it is largely out of sight. Until something happens to you or your business, it can be hard to justify taking the time to learn about just how risky the digital world can be. My team at Embroker works with our customers and the business community to understand their feelings (or lack thereof) around cybersecurity, and provide resources to help. We create reports, develop surveys, partner with great organizations like Dashlane, and make our data as transparent as possible to educate the business community on the risks and opportunities of our digital world.
DP: I am a huge believer in explaining things clearly and simply. And I value this deeply because I need people to be able to explain very technical things to me in a way that I can then accurately translate into contracts, so I have gotten very good at listening to technical speech and then translating it into plain, understandable language. I then try to make sure I reflect the important parts in my agreements without retranslating them into legal speak. I hate jargon. I am not changing the world, but it makes it a lot easier to explain why we take the contractual positions we do when the language is not intimidating.
Q: Any big shifts you have seen this year that show people are taking cybersecurity much more seriously?
MM: Two things, recently, have caught my eye.
The U.S. government has made a few moves this year that have put the importance of this issue in perspective. On March 1st, 2023, the Biden Administration released a National Cybersecurity Strategy, highlighting its commitment to supporting the nation in the digital world. For businesses and technology companies, however, this strategy also added a new level of responsibility. The onus has shifted from the unintentional actions of an individual to the systems and technologies built by the companies we rely on to access cyberspace. This is a major move, and we will surely see the implications of this on the cybersecurity and cyber insurance fronts for years to come.
The second, even more recent story was the SEC’s ruling that businesses must provide material on incidents, exposures, risk management, strategies, and governance around cybersecurity on an annual basis. These disclosure rules, which hope to shed light on often-hidden incidents that affect customers, staff, and investors, will give the public insight into gaps in protection that can help better prevent future attacks and hold organizations accountable in a responsible manner. The accountability aspect ties back to the National Cybersecurity Strategy and may put executives and corporate leadership at greater risk of liability.
DP: Exactly what Mike said.
Q: What inspires you most about working at your company today?
MM: Helping businesses grow. Starting a company, and running one for that matter, is a scary endeavor. Through surveys and reports, we have found that the majority of entrepreneurs see themselves as risk-averse. I mean, it takes a lot of guts to start a business. There’s a lot of work that goes into it, and a lot of risk that these business owners necessarily need to overlook to keep moving forward. Our job at Embroker is to help remove uncertainty against the things businesses simply can’t avoid. Fear is a strong force, and we're giving entrepreneurs the confidence to build great things.
DP: The space is interesting, important, and moving quickly. Working on something that matters with a lot of inspiring, committed co-workers is invigorating. And I never get bored.
Want even more wisdom from Davison and Mike? They’ve teamed up for a webinar that demystifies security compliance and regulations.
Thanks! You're subscribed. Be on the lookout for updates straight to your inbox.