[Trisell]

I’ve worked inside of these companies. It’s not just a money issue. It’s a competency issue. These companies are at least 10+ years behind in everything tech. They still believe in firewall moats. Flat networks. They have PHI spread across dev test and production environments. Upper management views tech as a cost center that never produces. They can’t keep talent around because they refuse to pay market rates. And most of their employees and manager have been around 20 plus years, which they applaud longevity, and anybody who attempts to come in and do something new and secure is derided as a hipster who isn’t into security.

I knew of 5 different ways I could have exfiltrated the entire PHI of every member without them having any knowledge of it and the SecOps manager just ignored it because they were “to busy”. Throw in archaic security requirements passed down from the BCBSA that do nothing to actually improve security but generally make it harder to work and you have a recipe for disaster.

[MrDunham]

> They can’t keep talent around because they refuse to pay market rates

The former CTO of Blue Shield of California told me back in 2012 (re tech talent):

> “We have the Ds and the Fs of the industry. I mean, who would want to work for a payor (insurance co) in SF?”

(Quoted to the best of my memory… But the first sentence is pretty much verbatim)

[pizza]

Kinda galling to realize that some of the most personal information of millions of people is being guarded by the D's and F's of the industry.. They ever heard of "First, do no harm?"

[MrDunham]

> Kinda galling to realize that some of the most personal information of millions of people is being guarded by the D's and F's of the industry

I 100% agree.

I also wonder what the solution could be though… Especially for geographies that have lots of more interesting companies to work for.

We could sit here and say “they could pay market rates“ (or even, “they could pay shiploads of cash, benefits, etc”) but, from the little data I gathered from the CTO and others, some of the difficulties are 1. that the problems they have are generally not very interesting because… 2. their risk tolerance is -1000 since 3. innovation & change is seen as - and can pose a very material - risk, and 4. They are a slow and stodgy companies mired in regulations and guided by legal teams* (Also means offering stock/upside underperforms tech companies by a mile)

I’m trying to imagine a scenario where (as a person with plenty of options) I would be interested in joining the health insurance company for longer than a year or two…

Even if they gave me a massive salary, a gorgeous office, a robust team, they would still have massive challenges to give impactful problems to work on without getting mired in internal legal battles and committee reviews.

Having seen several insurers from the inside most of them would need massive internal cultural changes just to hire a handful of A-players and retain them for any reasonable length of time (make that triple true with the pandemic popularizing remote work)*

* A quote from the #3 person at Regence who I worked with: “I love this!” (Re a startup product.) “How do we get it around legal and through procurement?”

Even someone who controlled 1/3 of all revenue made by the business still could be stymied by legal & procurement.

* There is one shining star I could point to… Regence BlueCross BlueShield of the Pacific Northwest. They are owned by a parent company, Cambia, which also has an accelerator, venture arm, and an innovation lab if I remember correctly.

They have solved some of these issues by investing in innovators such as spotlight health to help them solve their business needs. However, I don’t believe (though I have no data) they had a robust internal security team for all the reasons listed above.

(I haven’t had any contact or affiliation with him in about eight years.)

[tgsovlerkhgsel]

If they actually treated their IT team as valuable staff members and not a cost center, and paid market rates, I'm sure they wouldn't have trouble finding talent.

[code_biologist]

The point made in other threads is that it's way cheaper to just pay token amounts when security breaches happen, rather than pay market rates. They don't want expensive talent.