Tetra Defense values a well-rounded approach when it comes to cybersecurity. Preparing for cyberattacks, strengthening defenses, and responding to incidents are all important separately, but they are far more effective when combined. To that effect, we learn from David Kruse, Director of Business Development, as he sheds light on the intersection between insurance and information security.
“Cybersecurity is a human issue before it’s a technical issue. That’s the part about this field that fascinates me.”
How did your career begin?
My Bachelor’s degree is actually in theology and philosophy, so it wasn’t a straight shot to doing Business Development for a cybersecurity firm. Like many people who pursued a path in humanities, you study your subject because you come with a genuine interest, you learn how to love it, but, like the wide-eyed romantic all humanities students are, you don’t necessarily focus on what happens the day after graduation. After graduation, I worked for a painting contractor, then as a high school theology teacher, and eventually ended up getting a job at a bank as a teller and, later, a personal banker. This was my first exposure to pretty much anything outside of the less tangible topics I studied in school, and it eventually led me to learn about other business avenues like insurance. In 2014, I transitioned from the bank to a mid-size insurance brokerage in Madison, WI. I started working primarily with small businesses, but later moved on to manage our biohealth and technology book of business. Given the unique cyber risks many of these businesses face, it was inevitable that I’d intersect with cyber sooner or later.
What first piqued your interest in information security?
In an effort to better understand how best to cover businesses from the insurance perspective, I ended up leading a work group of people dedicated to researching the evolving cyber liability insurance market. For five years, I was the point person for agents on this topic. Often, when they had a client who wanted to talk cyber risk/insurance, I was brought in to lead this discussion and then assist in negotiating favorable coverage terms. By focusing on risk first, and insurance second, we were able to develop a strong sense of how cyber risk would manifest itself across industries, and then compare that with the various insurance offerings that appeared in the market. While this is vastly different from my humanities background, I have a lot to thank for my bachelor’s since it taught me how to be genuinely curious in how these businesses and their policies are connected, and where some of these connections can become stronger.
What brought you to Tetra Defense?
My focus on risk led me to seek out partners who could mitigate that risk. I met Scott Holewinski and Cindy Murphy through various panel discussions over the years, and after many months of discussion with Scott, I was brought on the team to bring my insurance knowledge to our business development efforts. What I really like about this business is the “human” aspect of it, and what I mean by “human” is how humans interact with their technology, and how to draw conclusions from what we see in this behavior. How does a top decision maker at a company consider the risks in their cyber environment? How do we humanize a hacker? What are they motivated by, and how can we use that information to better protect our systems? It’s this kind of thinking that has me coming back to the well every day.
How do the teams within Tetra interact with each other?
Between our software development, Incident Response (IR), and proactive teams, we all benefit from seeing a complete puzzle through its many pieces. If we only had development, or if we only had IR, we wouldn’t get the full picture and we would be doing our clients a disservice. If you can investigate, solve a problem at hand, and even get a client back up and running after an incident, that’s great — but what’s better is also having an arm to the company that can shepherd them going forward so that they don’t end up in a similar situation. Our approach is not only getting clients back to “health,” but teaching them how to stay healthy in the future. Similarly, if you only have proactive services without the intel from the IR side, how can you be sure that your advice is relevant to what new threats are on the horizon every day? We value the right brain/left brain approach here at Tetra — the more information, the better, and the more connections we can make between these worlds, all the better still.
What is an average day like for you?
Like my LinkedIn profile says, I spend my days “preaching infosec to insurance and insurance to infosec.” Over the years, I’ve noticed a disconnect between IT professionals and the cyber insurance industry. Some IT professionals would often underestimate the importance of cyber insurance, almost viewing cyber insurance as an indictment of their skills. In reality though, the product was never properly explained to them. On the insurance side, there can exist a similar knowledge gap. For example, if a cyber insurance application asks “Do you have backups?”, that’s almost a worthless question, because there are so many ways a company with backups can still get into trouble, and often underwriters don’t realize that (though, the knowledgebase on the insurance side is growing stronger every single day, and is much better than it was say, 4-5 years ago). When I say “preaching infosec to insurance” and vice/versa, my goal is to address the gaps in understanding between these worlds.
A non-work related question: How do you like to spend your free time?
Lately, I’ve been reading a ton of presidential biographies, and I’m knee-deep in Grant by Ron Chernow (the author of Hamilton). Other than that, I have a nine-month-old at home who is the absolute love and joy of my life. If I’m not reading, I’m spending time with her and my wife, and getting out for an occasional hike.