Sara Schmidt – Farmers Insurance Group

When it comes to assembling a cutting-edge cybersecurity team, Sara Schmidt says it’s less about where someone went to school or what they studied, and more about passion and curiosity.

That might not sound like the wisest strategy with today’s cybersecurity environment. But for Schmidt, the chief information security officer for Farmers Insurance Group, willingness to learn is just as important as what one already knows.

After all, she says, cyberthreats don’t stand still, especially for an organization with nearly 21,000 employees operating in a high-risk and cyber-sensitive industry.

Sara Schmidt | Chief Information Security Officer | Farmers Insurance Group

“How an employee stays up-to-date in the cybersecurity world will demonstrate how well they’ll keep up in the field,” Schmidt says. “I seek to empower people. By giving employees an opportunity to educate themselves and learn new skills, they develop a sense of ownership in that process to protect the organization.”

Technology first

Initially hired as the business information security officer in 2015, Schmidt was assigned to handle all security-related matters for the independent agent business line of the organization.

Her priority was understanding the organization’s operations and safeguards. From there, she wanted to evaluate and document legacy software solutions and develop plans to move to more modern ones.

“What evolved from that process was identifying a system of upgrades and process changes—such as with authentication options— to handle insurance for our customers and protect information in a secure manner,” Schmidt says.

Upgrades not only boosted cybersecurity for the organization, they also enhanced security. By using a secure multi-authentication process the system can validate a person logging in.

It’s a process that isn’t static, Schmidt notes, as cybercriminals are continuously developing new ways to launch attacks. Vigilance and adaptability to thwart new threats are critical, and “every day in this industry requires us to look at the system with fresh eyes, as things can change overnight,” she says.

Cybersecurity council

To Schmidt, cybersecurity within an organization is a shared responsibility hinging on two tenets: educating employees and clearly defining roles and responsibilities. To that end, in 2019, Schmidt helped develop the Farmers’ first cybersecurity advisory board.

Made of members from across the company, the board mapped out the types of information used in each department—and the team’s role in helping protect it. For example, employees might be on the lookout for suspicious phishing emails while the finance team is suspicious of any account change requests. The organization also developed its own data-classification strategy.

The goal, Schmidt says, is to align security needs with the organization’s business processes. Then the upshot of the training is to provide employees with a sense of ownership over their department’s data.

“There’s a shift in mindset from protecting the entire organization to empowering the employees to protect their ‘crown jewels,’” says Schmidt. “People gain an understanding of what’s at stake and learn the best ways of helping protect and handling confidential customer and employee information.”

Helping hands against a common enemy

But while Schmidt believes that every person in the organization who handles and moves data can be part of the cybersecurity solution, the goal remains helping protect the customer’s information.

At Farmers, all employees get annual training on topics such as security awareness, identifying threats from phishing emails and how to handle sensitive information like social security numbers. Heading into 2021, new objectives will include meeting new cybersecurity regulations and increasing automation.

“As we continue to grow organizationally to meet the needs of our customers in innovative ways, we will continue to be aggressive in our approach to enterprise-wide information security,” she says.

Schmidt keeps abreast of state and federal regulations, which can impact and diversify training across the different IT functions, such as application security training for developers. The IT professionals play a larger role in security than the average employee, she says, so it’s crucial they’re informed and able to meet the new requirements.

“It’s been a journey of understanding and we are still getting in front of the organization regarding how people interact with data,” she says. “It’s about engaging and empowering people at all levels within the enterprise. Together we all make a difference.”

Discovering data

Schmidt says she was fortunate to find the field of cybersecurity, which came to her as a bit of a surprise. One thing she knew for certain was that she wasn’t going to be a math teacher.

Earning a mathematics degree from Aquinas College in 2003 and a master’s in applied and computational mathematics in 2006 from Johns Hopkins University, Schmidt was on her way to pursuing a doctorate when she found a brochure for the National Security Agency.

Having never taken a computer science class, she joined the national-level intelligence agency and began her career in cybersecurity and became a Certified Information Systems Security Professional in 2013.

Hired in 2004 as a branch chief and network vulnerability analyst for the U.S. Department of Defense, she was exposed to a new world of cybersecurity, gaining insight into global monitoring and the collection and processing of information for counterintelligence purposes. A supportive mentoring environment reinforced her continued growth.

“I developed a passion for this space and was fueled by an excitement about the industry, which was ever-changing,” she says.

In 2011, Schmidt joined Perrigo, a global consumer self-care company. As an information security engineer and governance manager for five years, she learned new sets of skills regarding ID and access control management.

It was during this time that Schmidt was recruited by Farmers—specifically to improve protections against data loss that could negatively impact customers. She quickly gained two promotions—first as director of governance, risk and compliance in information security in 2017, and then as CISO in 2019.

Women as CISOs are rare, she says, motivating Schmidt to be a role model for other female leaders. To support the careers of those in STEM (science, technology, engineering and math) Schmidt sits on two boards and mentors five women. Her goal is diversifying talent in IT and cybersecurity. Her advice to women like herself is to stay current and educated in the field, find mentors and demonstrate the curiosity and drive to learn more.

“It’s amazing how far the field has come,” says Schmidt. “It’ll be amazing to see where we are in the next 40 years.”