Truth be told, while I’ve spent somewhere near seventy-five percent of my time over the past ten years working for financial institutions I’ve also done a fair amount of work for insurance companies, mostly centered on SOX with occasional diversions into general risk assessment work.  The drivers in the insurance industry are different in terms of oversight and requirements and so the volume of work isn’t nearly the same.  But that by itself begs a question: Why isn’t the insurance industry as regulated as financial institutions?

I’ve now done major audit and assurance work for financial institutions, insurance companies and health care providers and for most of them the risk profile is almost identical in terms of non-public personal information.  So why isn’t the level of scrutiny equal across all three of them?  While some might start spouting about how it is, about how states routinely audit insurance companies and how the health care industry has to comply with HIPAA the truth is that banks and credit unions are held to a much higher degree of accountability than any other vertical.  Why is that?

I’m fond of routinely, almost incessantly beating the drum about how it’s all about the risk.  I get my initial client opportunities because I have a deep resume with relevant experience but I generate repeat business because I tend to whittle things down to what matters most both to my clients and to their oversight providers (auditors and examiners alike).  Compliance exists because risks need to be addressed – if the risks aren’t credible or likely the work should be adjusted to reflect that.  But where the risks are real they’re really real.  The type  of data shared with an insurance company is in many ways even more sensitive than anything shared with a bank and most of what’s shared with insurance companies is also shared with health care providers.  Yet there’s no true Federal oversight for the insurance industry and HIPAA is about as much of a toothless tiger as anything I’ve ever encountered.

I recently completed a boatload of documentation to get my family on a new health insurance plan.  I turned over every piece of sensitive information I have for every member of my family minus my bank account information because that’s what was required.  I had to provide all of this online and follow that up by sending them an impressive array of hard-copy documents with even more sensitive information that should never be kicking around in the public domain.   In the past I’ve also been required to provide my bank account information because one plan in particular would only provide coverage if they could automatically deduct monthly premiums via ACH drafts.  So now the insurance industry has access to it all; name, address, social security number, date-of-birth, maiden name, medical history and banking information.  And yet there’s no true oversight agency that’s responsible for making sure they’re protecting all of MY information.

To compound my frustration, of the four insurance companies I’ve conducted work for since 2006 (two of which are Fortune 5oo’s) exactly none of them have something akin to a Chief Information Security Officer.  They all have risk people focused on the business side of things (because that’s necessary to protect profitability) but that’s it.  There’s typically an information security manager who’s part of the infrastructure team but who almost never reports right into the senior-most technology person (e.g. CIO, CTO).  Any audit work that occurs is coordinated across multiple IT managers and on rare occasions there will be an audit/assurance manager.  However in the one example I personally know of where that position exists the person in the role was really just a converted IT manager who obtained a CISA designation – no fundamental audit or assessment experience.

The question has to be asked:  Why is it that banks and credit unions are heavily regulated regarding protection of non-public personal information but other industries with similar risk profiles are  not?  Why aren’t insurance companies required to comply with FFIEC-type guidance?  Why isn’t there a Federal regulatory agency that is responsible for keeping an eye on the insurance industry the way the FDIC, OCC, FRB and NCUA do so for their financial institutions?  And trust me, whatever oversight exists for the insurance and health care industry is largely ineffective.   Why is my sensitive information considered more at risk within a banking infrastructure than it is within an insurance infrastructure?  Having been on site for both and examined their internal controls  I can’t answer that question, that’s for certain.

On occasion I receive phone calls from recruiters looking for resources to take on contract work. An important part of our practice is comprised of services work and so I’ll look into the opportunity; if it’s consistent with what we do and it’s a good fit for someone in our practice we’ll try and make it work. In this particular instance, the hiring client had some very specific requirements that presented as unusual. It wasn’t so much in what they were looking for from a definition perspective but rather their method of vetting the candidate. The recruiter told me right up front that any candidate needed to present proof of their certifications before being considered for the position. In more than a dozen years working in audit and compliance I can’t recall ever being asked right up front for such information and it caught me off guard.

The certification in question was the Certified Information Security Auditor (CISA) designation issued by ISACA. Generally speaking it’s the defacto standard when it comes to my professional space but only because it’s the only one available. While there are a number of IT auditors who also have the CIA designation it’s somewhat rare and unusual. But while it may be the standard cert for IT auditors, it’s certainly not a hard requirement and not something that all practitioners aspire too. I probably know more excellent IT auditors who don’t possess a CISA than I do those who do. I sat for the exam (and passed) back in 2005 because I was looking for a way to bookmark my audit experience; too many recruiters saw my resume and thought of me more as an IT practitioner than as an audit/compliance resource. I wanted to distinguish myself as an auditor and that seemed to be the best, most direct way to do so.

What I learned during the period of time while studying for the exam was that I already knew what was necessary to pass the test. There were a few disciplines covered during the exam that exceeded my knowledge (primarily around cryptography, encryption and key management) but I was okay with that because those were areas I would never pursue work in (we throw that stuff to our CISSP’s). Midway through the exam preparation experience, I questioned the validity of the certification. I genuinely believed that my previous eight years of experience spoke more to my expertise than any certification ever could. A year or so later I came to learn that when ISACA issued new certifications they also allowed for grandfathering – you could simply pay for the certification if you could prove that you already had the experience doing that sort of work. That cemented my opinion that experience was far more significant than the cert (and it also meant that a solid number of CISA’s I knew never had to pass the exam).

Within the first two years after I passed the exam I knew three people with almost no audit experience who studied for and passed the CISA exam because they believed audit and compliance work was their best way to stay employed. None of the three knew how to conduct a risk assessment, develop an audit plan, write an audit program or build work papers after taking the exam, yet all three were CISA’s. With some minor modifications to their resume they could present themselves as true audit professionals. That also cemented my opinion that the certification wasn’t as much of an indicator of ability as I once thought.

I recall a conversation with someone who was an IT audit instructor, but who at the time didn’t possess the CISA certification. His issue with the certification was that he didn’t believe multiple choice exams proved competency because you knew one of the provided answers was correct and so you just needed to be good at taking exams and making educated guesses. I don’t know if I completely agree but I have come to believe that the CISA certification would be that much more meaningful if the candidate had to display a basic ability in conducting the related work. Give them a set of criteria about an environment (e.g. software, networking, etc.),  have them create a risk assessment to determine what should be assessed, develop an audit plan based on the identified risks and write the audit programs to test the necessary controls. A panel of reviewers could grade the material and decide if the candidate possesses the necessary competencies. At least with such an approach you would know that if you hire a CISA certified practitioner, they have the skills to do the job. By the way, of the three aforementioned  practitioners who are CISA-certified, only one could actually pass such an exam today, three-plus years after having obtained the designation.

And so in an industry where you don’t need a certification to work (unlike the medical or legal professions), I’m not sure that a similar value should be placed on possessing one.