Tag Archives: it

Helping Data Scientists Through Storytelling

Good communication is always a two-way street. Insurers that employ data scientists or partner with data science consulting firms often look at those experts much like one-way suppliers. Data science supplies the analytics; the business consumes the analytics.

But as data science grows within the organization, most insurers find the relationship is less about one-sided data storytelling and more about the synergies that occur in data science and business conversations. We at Majesco don’t think it is overselling data science to say these conversations and relationships can have a monumental impact on the organization’s business direction. So, forward-thinking insurers will want to take some initiative in supporting both data scientists and business data users as they work to translate their efforts and needs for each other.

In my last two blog posts, we walked through why effective data science storytelling matters, and we looked at how data scientists can improve data science storytelling in ways that will have a meaningful impact.

In this last blog post of the series, we want to look more closely at the organization’s role in providing the personnel, tools and environment that will foster those conversations.

Hiring, supporting and partnering

Organizations should begin by attempting to hire and retain talented data scientists who are also strong communicators. They should be able to talk to their audience at different levels—very elementary levels for “newbies” and highly theoretical levels if their customers are other data scientists. Hiring a data scientist who only has a head for math or coding will not fulfill the business need for meaningful translation.

Even data scientists who are proven communicators could benefit from access to in-house designers and copywriters for presentation material. Depending on the size of the insurer, a small data communication support staff could be built to include a member of in-house marketing, a developer who understands reports and dashboards and the data scientist(s). Just creating this production support team, however, may not be enough. The team members must work together to gain their own understanding. Designers, for example, will need to work closely with the analyst to get the story right for presentation materials. This kind of scenario works well if an organization is mass-producing models of a similar type. Smooth development and effective data translation will happen with experience. The goal is to keep data scientists doing what they do best—using less time on tasks that are outside of their domain—and giving data’s story its best possibility to make an impact.

Many insurers aren’t yet large enough to employ or attract data scientists. A data science partner provides more than just added support. It supplies experience in marketing and risk modeling, experience in the details of analytic communications and a broad understanding of how many areas of the organization can be improved.

Investing in data visualization tools

Organizations will need to support their data scientists, not only with advanced statistical tools but with visualization tools. There are already many data mining tools on the market, but many of these are designed with outputs that serve a theoretical perspective, not necessarily a business perspective. For these, you’ll want to employ tools such as Tableau, Qlikview and YellowFin, which are all excellent data visualization tools that are key to business intelligence but are not central to advanced analytics. These tools are especially effective at showing how models can be used to improve the business using overlaid KPIs and statistical metrics. They can slice and dice the analytical populations of interest almost instantaneously.

When it comes to data science storytelling, one tool normally will not tell the whole story. Story telling will require a variety of tools, depending on the various ideas the data scientist is trying to convey. To implement the data and model algorithms into a system the insurer already uses, a number of additional tools may be required. (These normally aren’t major investments.)

In the near future, I think data mining/advanced analytics tools will morph into something able to contain more superior data visualization tools than are currently available. Insurers shouldn’t wait, however, to test and use the tools that are available today. Experience today will improve tomorrow’s business outcomes.

Constructing the best environment

Telling data’s story effectively may work best if the organization can foster a team management approach to data science. This kind of strategic team (different than the production team) would manage the traffic of coming and current data projects. It could include a data liaison from each department, a project manager assigned by IT to handle project flow and a business executive whose role is to make sure priority focus remains on areas of high business impact. Some of these ideas, and others, are dealt with in John Johansen’s recent blog series, Where’s the Real Home for Analytics?

To quickly reap the rewards of the data team’s knowledge, a feedback vehicle should be in place. A communication loop will allow the business to comment on what is helpful in communication; what is not helpful; which areas are ripe for current focus; and which products, services and processes could use (or provide) data streams in the future. With the digital realm in a consistent state of fresh ideas and upheaval, an energetic data science team will have the opportunity to grow together, get more creative and brainstorm more effectively on how to connect analytics to business strategies.

Equally important in these relationships is building adequate levels of trust. When the business not only understands the stories data scientists have translated for them but also trusts the sources and the scientists themselves, a vital shift has occurred. The value loop is complete, and the organization should become highly competitive.

Above all, in discussing the needs and hurdles, do not lose the excitement of what is transpiring. An insurer’s thirst for data science and data’s increased availability is a positive thing. It means complex decisions are being made with greater clarity and better opportunities for success. As business users see results that are tied to the stories supplied by data science, its value will continue to grow. It will become a fixed pillar of organizational support.

This article was written by Jane Turnbull, vice president – analytics for Majesco.

Should We Take This Risk?

  • Who takes risk?
  • Who decides whether the risk should be taken?
  • How do they know what the desired level of risk is?
  • How do senior management and the board obtain assurance that the right risks, at the right level, will be taken?

These are important questions, and every risk (and audit) practitioner should understand the answers.

Richard Anderson and I will be taking these on in April and May, and you are invited to join us. Details are at riskreimagined.com.

Taking the first one first: Who takes risk? The correct answer is “everybody”: everybody who makes a decision and everybody who acts. Every decision and action creates or modifies risk and has the potential to influence the achievement of objectives. Whether it is deciding to go through with an acquisition or to hire this candidate instead of an alternative, risk is being taken.

In general, the organization’s structure and delegation of authorities dictates who should be making which decision, who should review and approve that decision and what limitations are put on the “value” or magnitude of that decision.

In other words, the normal approval hierarchy established in any organization typically determines who makes which decision – and therefore who takes which risk.

Some people consider risk as static, the possibility of an event or situation that could affect an objective or two. But our world is anything but static; the environment in which we operate changes all the time, as regulators, markets, customers, vendors and other factors change. Our own organization also changes, as employees leave or join, get promoted, change their minds or intentions, feel differently about their or the company’s prospects, develop new products, retire old products, change pricing and so on.

So, risks are being taken all the time in an environment that is changing all the time.

The normal approval structure will also dictate who decides whether the risk should be taken. The decision maker is the person charged with making that decision, subject to review and approval.

The decision maker will normally weigh all the options, given the information available to her, and try to make an informed, intelligent decision. If there are risk-reward trade-offs, they will be considered in the decision-making process.

But how does the decision-maker know how much risk he should be taking? How does he know whether the risk level for the organization as a whole will now exceed the levels approved by more senior management and the board?

In fact, how do people know how their decisions will affect others, which objectives at the enterprise level might be affected and what the desired levels of risk to those objectives are?

For example, if you consider a recruiter in the HR department who is vetting candidates, prior to their being considered by the hiring manager, does he really know how his decisions on which to take forward will affect the organization?

Does he realize how much value and impact an individual with additional experience will bring to the sales operation, or how a lack of familiarity with ethical practices could increase compliance risk?

Does he understand that a major IT initiative might suffer if he delays a decision on which IT specialist candidates to consider? The risk may be to objectives in IT and in the objectives of the IT function’s customer – the one affected by the delay in completion of the project, or even the possibility of a failure of the project.

There are ways to address these issues that center on communication and collaboration. In the recruiting example, it is incumbent on both IT and HR to ensure the hiring urgency is understood and the value of different levels of experience and technical talent is appreciated and informs the recruiter’s decisions. Similarly, it is up to the IT customer to convey to the IT team the value of the IT project and the various risks (i.e., the effect on their and others’ objectives) should the project fail or be delayed.

Setting acceptable levels at board or top management is not the answer; it may be part of the answer, maybe even a significant part of the answer, but every decision maker needs to know what is desired at her level, and it is impractical to believe that the enterprise risk appetite statement can be translated and cascaded down in a useful and actionable way to every individual actually taking the risks.

In addition, in a dynamic world, desired levels of risk are (or at least should be) changing dynamically.

In some cases, more granular risk criteria can be defined – but, again, not for every single decision.

No, risk is taken and must be taken by individuals at all levels across the entire enterprise. If you want them to take the right risk at the right level, they must be informed and trained in the consideration of risk – and not just the risk to their personal or team objectives, but the effect on others and, eventually, how that can affect enterprise objectives.

Senior management should help by ensuring the people on their team get that decision-making training, with the help as needed of the risk officers.

How, then, do the board and senior management know that the right risks at the right levels are and will be taken? It’s not possible to be certain that they will be taken. Perfect assurance is not possible, as decision makers are human, and they will make mistakes even when all the information is available and they have taken all the required training.

Only reasonable assurance can be obtained.

A few things contribute to obtaining that reasonable assurance:

  • Care and attention to the decision-making process, ensuring that decision makers consider what might happen as an integral element in that process: what needs to go right as well as what could go wrong.
  • Care and attention to the “risk management process/framework/whatever-you-want-to-call-it,” thinking through how desired levels of risk are defined and communicated, the appropriate review and approval process, how people are provided the information they need to make risk-informed decisions and so on.
  • The objective assessment by management (and the chief risk officer) of that risk management process – an honest assessment of whether it provides the necessary assurance and whether it is delivering the value to the organization it should by improving the quality of decisions. I think this assessment should be shared formally with the board.
  • Careful monitoring, after the fact, of actual risk levels and determining what failed when risks exceed desired levels.
  • An independent and objective assessment of the enterprise’s management of risk by the internal audit function.

This is a quick essay on the topic, which is complex and tough to achieve in practice. I welcome your thoughts and hope to discuss it further with you in April or May.

Spear Phishing Attacks Increase

Spear phishers continue to pierce even well-defended networks, causing grave financial wounds.

Spear phishers lure a specific individual to click on a viral email attachment or to navigate to a corrupted Web page. Malicious code typically gets embedded on the victim’s computing device, giving control to the attacker.

A recent survey of 300 IT decision-makers in the U.S. and the U.K.—commissioned by threat-protection solutions provider Cloudmark—found that a spear-phishing attack penetrated the security defenses of more than 84% of respondents’ organizations.

Free resource: Planning ahead to reduce breach expenses

Spear phishing continues to turn up time and again as the trigger to massive network breaches, including widely publicized attacks on JPMorgan Chase., eBay, Target, Anthem, Sony Pictures and the U.S. Office of Personnel Management.

“Criminals have achieved high success rates with spear-phishing attempts, and that success is breeding even more attempted attacks,” says Angela Knox, Cloudmark’s senior director of engineering and threat research.

knox
Angela Knox

Respondents to Cloudmark’s survey said that, on average, their organizations lost more than $1.6 million from spear-phishing attacks during the 12 months before the survey.

Spear phishers install malware, seek privileged access accounts and scour breached networks for confidential business plans, information about current negotiations and other valuable data. And the attackers are in a position to manipulate, disrupt or destroy systems.

Related video: CEO fraud caper nets $450,000

Attacks on banks, credit unions and professional services firms that help conduct financial transactions often focus on persuading employees to wire money to the phishers’ accounts.

“Even if the money can be recovered, it takes time and effort to recover it,” Knox says. “In one high-profile incident, a company lost $46.7 million due to email spoofing.”

Resist oversharing

One reason spear phishing persists is because people reveal a wealth of personal and behavioral data on the Internet. Attackers tap this information to profile victims and create email and social media messages crafted to appear to come from a trusted source—in a context that puts the targeted victim at ease.

The end game: Get the person to open a viral email attachment or click to a malicious Web page.

“Everyone is now a target, and users can no longer depend on spelling mistakes or random scams,” says Chester Wisniewski, senior security adviser at antimalware vendor Sophos.

Peter Cassidy, secretary general of the Anti-Phishing Working Group, an international coalition fighting cyber crime, says spear phishers in recent years have gone to greater depths in focus and planning.

Peter Cassidy, Anti-Phishing Working Group secretary general
Peter Cassidy

“These days, it’s not uncommon to see an attack that targets specific personalities for their access within an enterprise and loads a malware payload to execute an exploit that will open a pathway the attackers are waiting for—and will use to gain access to data they prize,” Cassidy says. “Talk about orchestration! Stravinsky and these guys would have a lot to talk about.”

Employees part of solution

A primary defense is to continually train employees to be vigilant, and a cottage industry of training services and technologies has arisen in recent years to assist companies of all sizes. But even trained employees remain susceptible to sophisticated trickery.

Nearly 80% of organizations surveyed by Cloudmark reported using staff training to prevent attacks. Of organizations that test their employees’ responses to spear-phishing attacks, only 3% said that all employees passed. Respondents estimated that 16% of staff members failed their organizations’ most recent spear-phishing tests.

“Humans are flawed,” Wisniewski says. “You can never stop spear phishing entirely,” because “it is not a technical problem that can be solved.”

It’s human nature for employees who spot something wrong or who believe they may have been tricked to hesitate reporting the incident. Yet quick reporting is a key to remediation. “Accidents happen, but detection and remediation are more successful the less time the criminal has to take advantage of your errors,” Wisniewski says.

info

This post was written by Gary Stoller.

Better Way to Assess Cyber Risks?

As the saying goes, there are two kinds of motorcyclists: Those who have fallen off their bikes and those who will.

The insurance industry assesses the corporate world’s cybersecurity risk much the same way. Everyone is equally at risk, and, therefore, everyone pays the price for higher insurance premiums.

Not a day seems to go by without news of a high-profile security breach. It’s no surprise, then, that the cybersecurity insurance market is expected to rise to $7.5 billion by 2020, according to PwC. Even worse, the industry does not have effective actuarial models for corporate cybersecurity, say Mike Baukes and Alan Sharp-Paul, the co-founders and co-CEOs of UpGuard.

The two audacious Australians have developed what they say is a better way to assess the risk for cybersecurity breaches.

peep

Alan Sharp-Paul (L) and Mike Baukes (R), Co-Founders and CO-CEOs, UpGuard

The pair’s company recently unveiled its Cybersecurity Threat Assessment Rating (CSTAR), the industry’s first cybersecurity preparedness score for businesses. UpGuard’s CSTAR ranking is a FICO-like score that allows businesses to measurably understand the risk of data breaches and unplanned outages because of misconfigurations and software vulnerabilities, while also offering insurance carriers a new standard by which to more effectively assess risk and compliance profiles.

According to Baukes and Sharp-Paul, many companies forego available policies due to perceived high cost and uncertainty that their organizations will suffer an attack. With countless patches and endpoint fixes slapped onto IT infrastructure to hastily remediate breaches, companies have found themselves with less visibility into their core systems than ever before and, as a result, no way to understand how at-risk they are for hacks. With CSTAR, businesses are able to regain transparency into their own stack and take the appropriate steps to bolster their cybersecurity. Insurance carriers, meanwhile, can make smarter underwriting decisions while accelerating the availability of comprehensive and cost-effective cybersecurity insurance policies for businesses. It’s a win-win for both the insurance industry and for businesses.

After spending years in financial services in Australia and the U.K. and witnessing the disarray of corporate IT, Up-Guard’s two co-founders decided they could make a difference by developing a better way for corporations to understand their software portfolios and their associated potential risk for security breaches. Baukes says, “Our experience showed that that there were thousands of applications and thousands of machines powering all of this critical infrastructure. And the thing that we learned throughout all this was just how hard it is for an IT organization to understand and get a handle on what they’ve got.”

“Today, everything is out in the cloud,” Sharp-Paul says. “We’re all more connected. Employees are connected 24 hours a day, seven days a week. Now what keeps CIOs and CEOs up at night is, ‘If we get breached, I could get thrown in jail. I could get sued.’ It’s a very, very different world we live in today. We built a system to help companies understand and prevent downtime, and helping them save on project costs is just as relevant today from a security perspective.”

The two initially started a consulting company to help companies catalogue and manage their software platforms and applications. According to Sharp-Paul, “We realized the biggest problem companies have from an IT perspective is that they don’t really have appropriate visibility into what they’ve got and how it’s changing because so many things are changing daily in these environments that it’s really hard for them to know what ‘good’ looks like.”

Sharp-Paul and Baukes’s consulting led them to develop software to automate the process, providing the means to quickly and effectively crawl every server and software application to present a profile of what needed to be updated or patched and to identify the system holes that allowed for security breaches.

As Baukes tells it, “Getting that all to mix well and be safe, secure and capable of pinpointing where problems go wrong really quickly is an incredibly difficult task. So, we built up the first commercial version of the product—a very rudimentary version—and we shopped it around, and people were very excited at the time.”

From there, the pair realized their software had commercial potential and implications more far-reaching than what they had first thought. “We started with that very simple version with a few sales and no sales force—just Alan and [me] at the time—growing to the point now where we now have 3,000-plus customers, and the team is steadily being built,” Baukes says.

Now, the company has nearly 50 employees and is growing fast. The Mountain View, CA–based company attracted early seed funding from the likes of Peter Thiel, Dave McClure and Scott Petry, leading to a near $9 million Series A funding underwritten by August Capital.

The co-CEOs admit the co-managing arrangement is unconventional and would be challenging to make work under different circumstances. However, Baukes and Sharp-Paul feel their skills and temperament complement each other.

“To be honest, when people ask us about it, my first response is always that it’s a terrible idea,” Sharp-Paul says. “And that’s not because it’s been a horrible experience for us. It’s because I kind of think we’re really the exception. And the only reason I say that is that I know the unique things we went through and the type of people we are that makes this work. I can’t imagine that being a common thing at all.”

Baukes is generally a more aggressive and strategic thinker, while Sharp-Paul describes himself as more pragmatic and conservative.

Sharp-Paul and Baukes first worked together at the Colonial First State Investment firm back in Sydney, where the two lived the DevOps experience before DevOps became the buzzy concept that it is today. There, Sharp-Paul was a web developer, and Baukes was a systems administrator, and they talked a lot about things like continuous integration and continuous delivery.

“Now these are all fantastic things,” Sharp-Paul says. “But you need a foundation or a basis of understanding what you have. I mean, we like to say you can’t automate what you don’t understand. Or you can’t secure or fix what you don’t understand. And that’s always missing. Everyone’s trying to rush to this goal of DevOps or moving to the cloud. Everyone wanted to be there, but companies and vendors in particular weren’t helping businesses on the journey there.”

Baukes says, “Once you have that base understanding of what you have, then that opens everything else up. You can think about DevOps. You can think about automation. At the time, we were thinking, ‘Why hasn’t anyone thought to do this before?’ It seemed like such a foundational, basic thing. It was almost like it was so foundational that everyone just moved past it, and they were looking at the next shiny thing down the road. I think that was the white space. That was our opportunity. We jumped on it.”

As it turns out, in the world of corporate IT, applications never get retired. Even worse, the people who manage them move on because the life cycle of an employee at a company is short. As as result, the institutional knowledge about these applications is lost.

“Corporate memory is so short typically,” Sharp-Paul says. “They often get to this point five years down the track where they rediscover this server or this application, and everyone’s too scared to touch it because they don’t know what it does. They don’t know how it works. The people with the knowledge just left with it all in their heads. We come across that all the time.”

Sharp-Paul and Baukes had always seemed destined to do something on their own.

“I always had a healthy disrespect for authority. Throughout my corporate life, I was looking outside to see what else is [WAS?] out there,” Sharp-Paul says. “I actually started the first step of creating a business on my own—with something as mundane as a French language website that I used when I moved overseas for a couple of years. … It taught me that I can actually build something myself that makes money.”

Baukes agrees.

“The big difference is that I grew up in an immigrant family in the middle of nowhere, effectively. I won’t say the Australian Outback, but really rural,” he says. “We built everything ourselves. My father was a great wheeler and dealer. So, I learned a lot of from him. I fell into all of this by playing computer games and was really good at it, frankly. For me, that was a springboard into an accidental corporate life. I always knew that I would do something else.”

Now, for the future?

Baukes says, “It makes good business sense to quantify the risk in your company’s IT systems and report it effectively. And I think that for us, we could continue growing our business with that in mind—giving people visibility, helping them get to the truth of what they’ve got, teaching them how to configure it, and showing them if they’re vulnerable. That is beginning to accelerate for us, and we’re incredibly proud of that.

“We truly believe that, over time, CSTAR will be adopted as an industry standard that companies and carriers alike can rely on to make critical coverage and cybersecurity decisions.”