ITSPmagazine Podcasts

Bridging Cybersecurity and Finance for Better Insurance Outcomes | 7 Minutes on ITSPmagazine From HITRUST Collaborate 2024 | A Google Short Brand Innovation Story with Monica Shokrai

Episode Summary

Join Sean Martin and Monica Shokrai, Head of Risk and Insurance for Google Cloud, as they explore the innovative strategies behind Google's approach to cyber insurance and risk management. Discover how interdisciplinary collaboration and automation are shaping the future of cyber insurance and helping organizations mitigate risks effectively.

Episode Notes

In this Brand Story episode, recorded live at the HITRUST Collaborate Conference 2024, host Sean Martin sits down with Monica Shokrai, Head of Risk and Insurance for Google Cloud. The topic of conversation centers around cyber insurance, a crucial area impacting organizations across sectors.

Monica Shokrai leads the charge in managing risk and procuring insurance for Google Cloud, a role that integrates closely with both the finance and security teams. She highlights the unique dual approach of her team, which not only secures coverage for Google but also strategizes on how to leverage insurance to assist Google Cloud customers in mitigating risks.

A key point discussed is the interdisciplinary nature of cyber insurance. Traditionally managed by the finance or legal departments, Shokrai emphasizes its growing collaboration with cybersecurity teams. She notes that the standard organizational structure often sees a communication divide between finance and security departments. However, the evolving cyber insurance market is pushing these groups closer together, fostering a more integrated risk management strategy.

Shokrai also shares insights on how Google approaches risk exposure and posture. By modeling risk in-house and leveraging an actuarial team, Google can quantify risks accurately and work closely with security teams. This model not only helps in securing better insurance terms but also aids in understanding and integrating security measures within the organization.

Another significant point is Google’s innovative approach to automating the cyber insurance process. Through their Risk Protection Program, Google allows security metrics to be shared with insurance partners like Allianz in Munich. This method simplifies the underwriting process and promotes a data-driven approach to evaluating cybersecurity risks, aligning insurers and security teams toward a common goal.

Overall, the discussion underscores the importance of a cohesive strategy that bridges finance and cybersecurity through innovative risk management and insurance practices. With leaders like Monica Shokrai at the helm, Google Cloud is at the forefront of integrating these critical functions, ultimately benefiting both the company and its customers.

Learn more about Google Cloud: https://itspm.ag/google-pkap

Note: This story contains promotional content. Learn more.

Guest: Monica Shokrai, Head of Risk and Insurance, Google Cloud [@lifeatgoogle]

On LinkedIn | https://www.linkedin.com/in/monicashokrai/

Resources

Learn more and catch more stories from Google: https://www.itspmagazine.com/directory/google

Simplified Cyber Insurance for Organizations with a HITRUST Certification: https://itspm.ag/hitrusp5x6

Learn more and catch more stories from HITRUST: https://www.itspmagazine.com/directory/hitrust

Learn more about 7 Minutes on ITSPmagazine Short Brand Story Podcasts: https://www.itspmagazine.com/purchase-programs

Newsletter Archive: https://www.linkedin.com/newsletters/tune-into-the-latest-podcasts-7109347022809309184/

Business Newsletter Signup: https://www.itspmagazine.com/itspmagazine-business-updates-sign-up

Are you interested in telling your story?
https://www.itspmagazine.com/telling-your-story

Episode Transcription

Bridging Cybersecurity and Finance for Better Insurance Outcomes | 7 Minutes on ITSPmagazine From HITRUST Collaborate 2024 | A HITRUST Short Brand Innovation Story with Monica Shokrai

Please note that this transcript was created using AI technology and may contain inaccuracies or deviations from the original audio file. The transcript is provided for informational purposes only and should not be relied upon as a substitute for the original recording, as errors may exist. At this time, we provide it “as it is,” and we hope it can be helpful for our audience.

_________________________________________

Sean Martin: [00:00:00] And here we are ready for another seven minutes on ITSP magazine. And we're coming to you from the HITRUST Collaborate Conference, 2024. We're going to talk about cyber insurance today. There was a fantastic panel. With with brokers and and buyers of insurance. I'm here with Monica Chakra. I thank you for joining me from Google. 
 

Monica Shokrai: Thanks for having me. Yeah, thanks for having me.  
 

Sean Martin: And before we get into the topic, maybe a few words about your role, Google Cloud and what you do with relation to insurance.  
 

Monica Shokrai: Absolutely. So I lead risk and insurance for Google Cloud that traditionally is a buyer's role. So I sit within the finance team and help procure insurance for the company. 
 

But because of the nature of Google and just how my role has evolved over time, I also work very closely with the business and think of partnerships of how to use insurance to help our customers, um, and ultimately reduce risk for our customers and ourselves. So, yeah, it's been exciting. I've been at Google for six years. 
 

Sean Martin: That's [00:01:00] fantastic. So I have to start here. Um, I know we want to talk about some of the challenges, but I'm going to tune it to the fact that you sit within finance because I think a lot of people generally think cyber insurance is owned by CSOs and not necessarily in the finance team of the CFO. So what are some of the challenges, um, you think a lot of organizations might face because of that? 
 

Monica Shokrai: Yeah, it's a, it's a great question. So typically cyber insurance is procured through the treasury organization within finance or the legal organization, but it's one of those. coverages from an insurance perspective that is more interdisciplinary than probably the other ones that you'll see on a day to day basis. 
 

Um, and ultimately the risk lies with the CISO. And so, um, there's a lot of collaboration that takes place. I work very closely with our chief information security officer and, and his broader team on trying to understand their risk and translate it. Um, you spoke, you [00:02:00] asked a little bit about challenges. I think the standard organization. 
 

Uh, has a big divide between those groups. And so in an average organization, there's, um, Communication challenges at times, uh, understanding challenges at times, but I do think that as cyber insurance matures as a market, those two groups are coming closer and closer together. Um, and I've, I've heard the term before, like, should a CISO be a cyber CFO, for example, I'm not sure if you've had, there's articles about that sort of thing, because ultimately they're the ones that are accepting the risk. 
 

Um, and I think there's a lot of. Interesting innovation that can happen at the intersection of those two groups.  
 

Sean Martin: So how do, how do you approach looking at the risk exposure and the posture that you have and bring the teams together, I guess, to really understand? So you can actually get, get coverage. I'm sure it's probably easier for Google than maybe some [00:03:00] other organizations, but how do you actually put your best foot forward? 
 

Um, maybe leveraging some of the high trust work that R2 stuff that,  
 

Monica Shokrai: yeah. Absolutely. So, um, my organization in particular, which might be a little bit unique just because of the nature of Google, we actually model all of our risk in house. So what I didn't mention is I also lead our actuarial team for Alphabet. 
 

We quantify that risk, and we can't quantify that risk without a very deep engagement with our security teams. And so there's a lot of discussions about trying to understand how things are built in and, um, Have that integration so that we can have a better outcome. Um, so that's one of the things that we do that's somewhat unique. 
 

From a HITRUST perspective, we're HITRUST certified. We are a partner of HITRUST. We work with them quite a bit. Um, and that we developed a program that's similar to the R2 program that they put together. And so we've, we've collaborated with them in that regard. Um, [00:04:00] But less in our specific cyber insurance renewal just because of the scope and size of Alphabet. 
 

It's a lot of conversations at the executive level with cyber insurers for them to understand the approach that we have as a whole.  
 

Sean Martin: And so you have, you do a lot of risk analysis and obviously that's what you're saying. Maybe other organizations don't do nearly as much, but the value of. Having that understanding and then Mapping that to an R2. 
 

So it brings consistency. I presume. 
 

Monica Shokrai: Yeah Yeah, absolutely, um, I I think I'll take a slightly different route just because We're our program is slightly different but Similar to the R2 framework what we put together is this idea that today cyber insurance is a You have these long questionnaires that you're answering with yes or no questions that don't [00:05:00] always reflect what questions don't always reflect risk. 
 

And so one of the things that we put together is a scan of your Google Cloud environment under this program called the Risk Protection Program, where you can identify security metrics and through a couple clicks send that to our insurance partners. Right now we're working with Allianz in Munich. And the idea that we have within that program actually is to We've collaborated very closely with HITRUST to develop the R2 program, so I'd say they're, they're definitely not competitive, competitive, they're more like sister programs, but they're similarly trying to get the insurance industry to a place where we're using data in an automated way to better underwrite cyber insurance. 
 

Sean Martin: And sometimes. With automation, you might skip steps or, or leave some things on the table that you might not want to, um, but how does, uh, I presume a lot of the data that you have that you bring to the table, as well as the data that HITRUST has, um, [00:06:00] eliminates some of that risk of leaving things on the table. 
 

Monica Shokrai: Yeah, the way that we're approaching it today, and I believe high trust is similar with their, their program is that we're trying to automate the insurance process as much as we can. So the data that we do have that will pre fill their applications or understand certain areas of risk that an insurer wants to better evaluate. 
 

That will reduce the number of questions that you have within your questionnaire, but if there's something that's not sufficient, we'll keep that question until we get to a place in the industry where we can use automated, uh, data from within a customer's environment to answer it. So, uh, I would say it's a step forward, and ultimately, hopefully, anything that can be automated will be automated, and it will ultimately bring, um, the security team into the same place. 
 

Mindset as the insurers where if I'm reducing risk, I get rewarded for that from an insurance perspective  
 

Sean Martin: Fantastic. I love this innovation because I'm a nerd like that I'd love to talk more but that is seven [00:07:00] minutes on ITSB magazine. Thank you very much.  
 

Monica Shokrai: Thank you so much