What a Head of Cybersecurity and Engineering at Commercial Insurance Company Wishes They Had Known Before Entering the Insurance Industry
Malia, a Head of Cybersecurity & Engineering, found the transition from military cybersecurity to the civilian sector surprisingly complex, noting the need to learn "how to get around language" to navigate varied company policies and regulations. The lack of formal training on regulations like GDPR, HIPAA, and CCPA highlighted the significant learning curve and the importance of understanding policy implications for compliance and potential financial penalties.
Cybersecurity Regulations, Privacy Policies, Compliance, Legal Frameworks, Risk Management
Advizer Information
Name
Job Title
Company
Undergrad
Grad Programs
Majors
Industries
Job Functions
Traits
Malia Mason
Head of Cybersecurity & Engineering
Commercial Insurance Company
University of Pittsburgh class of 2011
EMBA UCLA class of 2023
International Relations & Affairs
Insurance
Product / Service / Software Development and Management
Disabled, Took Out Loans, Worked 20+ Hours in School, Veteran, LGBTQ, First Generation College Student
Video Highlights
1. The cybersecurity field in the civilian world has less rigid rules compared to the military, requiring professionals to learn to navigate nuanced regulations and policies.
2. Understanding various regulations like GDPR, HIPAA, CCPA, SOC 2, and SEC regulations is crucial for cybersecurity engineers but is not typically taught in school. This knowledge directly impacts compliance and avoids potential fines.
3. Malia suggests that students interested in cybersecurity should proactively research and learn about relevant laws and policies early in their career to gain a competitive advantage and better understand the industry landscape.
Transcript
What have you learned about this role that you wish someone would have told you before you entered the industry?
There's so much to know. When I was in the military, things were much simpler. There were strict boundaries, and if something was a national secret, you had to adhere to all the rules.
There was no questioning or bending the rules. It was a simple matter of whether you could access something or not. In the civilian world, it's different.
Depending on the industry and company, things change. Sometimes you can bend the rules, and sometimes you can get around things. We learned to rephrase things to be mostly compliant. Learning how to navigate language like that was really interesting.
I wish I had learned about the different regulations, privacy policies, and laws sooner. It took me a bit too late in my career to really dig into them. That's essential if you're in an engineering role like I am.
You still have to build your engineering around particular regulations. GDPR is famous, as is HIPAA for the medical field, and California's CCPA. There are also SOC 2 and SEC regulations.
These are different regulations that aren't really taught in school. I haven't found a good organization that really teaches them. Being able to understand a policy and regulation, what it's saying, what it's asking for, and what you need to implement in your job to be compliant is crucial.
That compliance affects insurance and potential fines. It plays a role in the entire company. Learning that earlier, especially knowing it's not taught in school, would be really beneficial. I wish I had dug into this much sooner in my career.