Cyber Security Today with Rear Admiral Danelle Barrett (Ret.)

Stewart: Welcome to another edition of the Insurance AUM Journal podcast. My name's Stewart Foley and I'll be your host. And today's topic is a good one. We are talking about cybersecurity, which is top of mind for a lot of folks. And we are joined by an expert that we're very fortunate to have with us, retired Rear Admiral Danelle Barrett from Academy Securities. Danelle, welcome.

Danelle: Great. Thanks Stewart. Appreciate being here. It's an honor and I don't often get to talk to the insurance industry so this is kind of new for me too. This will be fun.

Stewart: Yeah. It's going to be fun. I'm thrilled to be able to talk with you, slightly intimidated, a little scared, but here we go. Can you talk about your career and what it was like to be a woman in the military? Obviously that's changed a lot from the beginning of your career to the latter part of it. I'd love to just start there and how did you get to cybersecurity as a specialty?

Danelle: Yeah, it's interesting. When I came in the Navy, I was a history major who couldn't program her VCR and now I can program routers. There you go. It's amazing what the Navy will teach you that you never even know you wanted to learn. When I first came in, I did traditional communications like radio frequency, space, satellite, how our ships communicated back to shore. And then we also managed big data centers, old-school style, not like cloud like we have today. That's the kind of work that I did initially when I came in and then they lifted combat restrictions for women about in the mid 90s and then I immediately tried to go sea because I joined the Navy to do those kind of things. And so, I was a network officer on a ship and that would be making sure that you had networks where people could log in and do their work - emails or whatever they needed to do.

And then that solely progressed from traditional communications to cyber. As IT and cyber advanced, so did my career in those areas because my specialization in communications for the Navy picked up those responsibilities. Cyber defensive operations and, you know, how to get networks out and defend those. Last couple jobs in the Navy were actually really super cyber focused and super digital transformation modernization focused because I would look at the whole enterprise, okay, where do we need to improve across? Not just from a cybersecurity perspective but just for use of information. My last job in the Navy was director of Navy cybersecurity and the deputy CIO of the Navy and the job I had right before that was at United States Cyber Command, which is the nation's command that does offensive and defensive cyber operations for the military and I was in charge of current operations. Anything that was happening at that time, right before I left, we had Iraq and Syria operations going on, that would've been in sort of my bailiwick.

That's sort of my career. Now I do corporate boards and do some writing and consulting with Academy Securities, is one of the companies I enjoy working with. And Academy Securities does a great job in kind of pulling together folks who are kind of deep specialists but at a high strategic level so that they can talk to ‘what's the geopolitical implications of this’? What are the strategic implications of the areas that we're talking about? And today we're going to be talk about cyber.

Stewart: And just so everyone knows, can you talk a little bit, so Academy Securities is unique in that it's veteran owned and it is an institutional broker dealer, right?

Danelle: Yeah. It's a veteran and disabled veteran owned actually and it's operated with an investment bank and it looks at markets, different markets out there. I've spoken to folks at other companies that you wouldn't think of, Disney, and they work with IBM and ATT, Kellogg's, Mountain Life, Dell. They have a whole gamut and plus other industries. They really kind of spread out their expertise and some of their expertise isn't like mine, really highly technical. Some of it's more operational or strategic in a geopolitical sense. And so they have lots of experts that can speak to those topics.

Stewart: And that's kind of an unusual situation. Your head of distribution is Randy Lauer who's a good friend and Randy and I met, he's on the board of trustees at Lake Forest College. And when I taught there, we got a chance to meet. When Randy left his firm and went to Academy, we talked and Michael Rodriguez came on and did a podcast on ESG and sustainability, which was terrific. And then they suggested that we speak with you. And the old saying is, it's better to be lucky than good, and the timing of this is despite the terrible situation on the ground, there's a lot to talk about with regard to cyber and the Ukraine. I know that you just did a webcast recently on that topic specifically. But I guess, let me just ask the first question, which is, what is the threat – whether it's nation states, criminals, terrorists, everyday hackers, whoever, what is the threat? And how is it impacting businesses? What are the threat trends that you see today?

Danelle: Yeah. Let's just put Ukraine aside for a minute because you could talk for a whole 10 hours on what's going on over there. Lots and lots of cyber activity there. Both sanctioned, meaning from the GRU, the Russian spy agency that does cyber offensive operations and how everybody both in Ukraine and other areas have elicited their hacker communities to help out, which can be very fraught with spillage and a whole bunch of other issues that go beyond what they intended. Really kind of adds extra to the level of crazy to the situation. But let's just talk about cyber in general and what's been happening.

The threat we kind of look at, there's nation state threats, there's cyber criminals and then there's terrorism. And then you have your average just wannabe hacker. And really that's not the scenario we see much anymore. The kid sitting in his bedroom trying to hack into something for fun. That's really a lot less of what we see today. What we see is the nation states we're most worried about are North Korea, Iran, China and Russia, of course. China and Russia being the most sophisticated. And so from a nation state perspective, we absolutely worry about that because as you've seen with Russia, they build cyber operations into their other lines of operations. And by that, I mean anytime you're going to have a military operation, you'll have a land, maybe a particular land element to it, a maritime element, maybe a space element or an air element. And so you weave in this cyber element across all of that so cyber can help enable all of those operations. There's things you can do offensive and defensively to do that.

And so what we see is nation states taking increasingly interest in preparing the battlefield way in advance, scoping out targets, what would they attack? Those kind of things. Things like our SCADA systems, the systems that control our power and our water, our transportation systems. Those are things that we of course are very concerned about as a nation. And you saw that in President Biden's executive order last spring too. He really honed in on that.

Stewart: You said, did you use the term SCADA? I'm just not familiar with the term.

Danelle: Yeah, yeah. SCADA, so that's your control systems that manage things like operational technologies is what we call it. You think of not a computer on your desktop but something that might control the generator at a power plant, something that might control the water distribution plant or maybe even in something like agriculture could be the fertilization machines and things like that. Anything that's related to control of those kinds of systems, that's what we would want to protect against, the big transportation systems, the rail systems and things like that for example.

Stewart: When there are cyberattacks, what I think of in my head is that the offense is ‘I'm trying to get secrets from you’ or ‘I'm trying to disrupt the financial system’. I also think in terms of identity theft but after listening to your first answer, I'm looking at that going, really this is when you see a military operation, for example, they're going to try and take down the power grid by attacking the SCADA network. Is that fair? That's a very uninformed explanation, but am I generally correct?

Danelle: Yeah. There's a couple different ways to look at an offensive attack on our nation and SCADA would be a primary target should somebody be serious enough to want to truly cause chaos and disrupt us. Now the problem with attacking our SCADA is that you got to assume that we're going to retaliate in some manner. And so it can quickly escalate and get way out of control and you can have unintended effects. For example, after 9/11, when they shut down all the train trestles to look for bombs underneath the train trestles, Los Angeles was within three days of running out of fresh water because they didn't have any chlorine because the only way they could move chlorine was via the rail system. There's second and third order effects to all of this that you just don't want to poke that bear.

That would be, an attack on SCADA something on a large scale would be, you're getting into an area that would escalate things quite rapidly. And we don't have red lines as a nation on cyber activity. For example, it's not like nuclear where mutually assured destruction, you shoot, we shoot. We don't have red lines like, hey, if you cross this red line, we're going to do X, Y or Z. And so there's still a lot of unknown unknowns about the cyber realm. But one thing I will say is going back to who the threats are. You do have those nation state actors that are threats and then you also have cyber criminals, which is where we see more of the activity really nowadays is with cyber criminals. And in the last year or so, there have been a lot of ransomware attacks for example.

And so the average ransomware payment in 2020 was about $312,000 according to Palo Alto Networks and that was a 170% increase over the previous year. Altogether, the United States paid out companies that reported it. A lot of people don't report it because they're worried about the reputational damage.

Stewart: Of course, of course.

Danelle: And all that kind of stuff. There was over $350 million in 2020 ransomware payments paid and 58% of the companies who got attacked, paid that ransomware. Only 54% got access to their data back. Some never got access to their data back, and kept getting hit up for more money. And so for example, in your industry, the insurance industry, there were several big insurance companies hacked just last year, CNA Financial paid $40 million in ransom to a Russian cyber gang in May 2021. You had Pan-American Life Group in February 2021 got hacked and then Geico got hacked, and while they only stole customer confirmation on a limited scale and some licenses, that attack actually went on from January to March before they even knew about it. And so there's a lot of interest by cyber criminals because it's good money. You know what I mean?

And cyber criminals like insurance companies like you because you guys have lots of PII and personal data. You have customer credit card information. A lot of times customers have linked their credit card and their information to their bank so you have links there. You've got a lot of payment info and they even have information on non-customers that can be affected. Say somebody goes to request a quote from you, they could be a victim as well, even though they may not be one of your actual customers. And so there's a lot of threat to your industry specifically because they know there's critical data that they can get at and use and resell and all that.

And so the third kind of group is terrorist groups and we all know who the terrorists are. They're less active than other groups. And so the thing I will say though, is that people need to be aware of this threat because they have to have plans in their companies to address it. And so one of the first things that all companies need to do is they need to understand what is their no-fail mission? For the insurance company, your insurance companies, what would be the one thing or the two, three, top three things that cannot fail no matter what, even if you have to revert back to paper and pencil because your systems go down? What are those critical things that can't fail? And then you have to map, you have to have your folks map your systems that contain those data and information for those processes to those no-fail missions.

And then you have to have measures in place for those systems to know where your data is, how it's protected and how you're going to make sure that you can operate and have some resiliency should those systems be attacked and you not have access to them or never get access to them again. What would your response be? Companies need to go through that and then they need to practice that response. They need to actually do drills where they practice, okay, we're going to go through that this happened and not is table top it sometimes. Sometimes you have to turn the system off to really force an understanding of like we talked about, what are all those second, third order effects? And so there's several things that companies need to do in addressing that no-fail mission and one is the people process.

75% of the ransomware attacks start with somebody doing phishing emails. That's sort of like the email, phishing emails, the email you might get that looks like it's from your bank or looks like it's from your boss and it says, "Hey, click here. I just need you to check on this report." Or, "Hey, open this PDF file and make sure our report is accurate." And the minute you open that up or click on that link, what it really does is behind there, there's some bad code and it sends a little a call out, we would say to a bad actor's website or a server. And then they establish a channel to your computer network, where they can get into your computer network through your account. And then what they do once they're in is they try to what's called laterally move. They try to then get more privileges to do other things on the network and move other places and get access. And then they would implant malware or they would maybe monitor what's going on or they might just steal data, exfiltrate data.

There's many different things they could do. And so you have to have systems in place to catch those kind of interruptions. Say somebody does unfortunately click on a link. There should be ways in their systems that are sophisticated enough to catch those outgoing calls and incoming calls that would seem a little bit out of the norm, abnormal. And then the activity, the network tools that you have for cyber defense would catch that sort of anomalous network activity and shut it down so it wouldn't allow it to go any further. Those are kind of things that your companies need to think through. And they need to also think about how they protect their networks. And I'll quickly talk about this and then I'll give a pause for you to ask some questions.

In the past, we sort of took a castle approach to this. You had all your data is in the castle. And what you would do is you would put a really big moat around your castle with a lot of water. In the terms of IT, that might be a firewalls and intrusion detection systems and other systems around your core systems or your network to kind of try to protect and see what's coming in and out, what's going on. Now we're saying, "Okay, that's kind of a fools errand because someone will always get in. Someone will sneak into your castle somehow." And so what we do now is we check everybody. We're moving to what's called a zero trust environment where you check every person going in and out of a castle and what are they doing? And where are they going? And where are they coming from?
You do still have those perimeter defenses but what you also have and more importantly is you don't trust anybody and you double check everybody coming in and out of there and where are they going? What are they doing? And you got to do that in an automated way. Humans can't do this. You need automation to help you. And you see some of that in some of the things that you have with your banks and things now where they require you to do an extra code. They'll send you a mobile code to your mobile phone that you have to put in. That's called two factor or multifactor authentication. It's not just a username and password, which can be easily hacked. They do that plus they may do some biometrics. They may do your thumbprint or your eye scan, your eye. Or they may do where you get a code sent to your phone or something like that.

The more security you can build in, the harder you make it for a hacker, they're going to go somewhere else. And I don't think the nation state actors would be going after your industry as much, unless they wanted to have do the financial impact to that portion of critical infrastructure. But the most that we see is really where it's criminals, cyber criminals, looking for money that do that. And if you are hacked, you really need to have a plan for how you're going to respond to that. What is your company going to do? Are you going to pay ransom or not? You report it to the FBI and the CISA, which is the arm of Department of Homeland Security that does cybersecurity and you report it to the Treasury Department's Office of Foreign Asset Controls but FBI discourages paying hackers because a lot of times they don't go away and worse they may have burrowed into your network and are still sitting there so after you pay them, they're still sitting there and you just don't even know it.

I'll stop there and let you ask some questions or we can take the conversation in any way you want.

Stewart: When you talk about reporting these intrusions to the FBI, the ARI and Department of Homeland Security that deals with cyberattacks, is there a standard protocol that exists for, does everybody understand what to do? Or is that part of the problem?

Danelle: Well, I think, companies that have a chief information systems officer, that person would know what to do and that person should be on sort of the distribution list for the CISA and FBI and NSA updates on things that, because they provide updates all the time on what commercial industry can do to improve their cyber defenses, improve their cybersecurity training for people, how to look for things that might be threats, specific threats that they can give additional intelligence about. Obviously not classified, but enough intelligence that people can be on the lookout for those kind of things. I think there are mechanisms already out there that are well understood. There's some that are still being developed.

President Biden's executive order that came out in May of last year, directed that there would be a group that would do sort of like when the FAA has a plane to go down, they send a group of people out to do an investigation. The national transportation board goes out and does an investigation of that and gets all the facts and they don't say what should be done about it, they just give the facts out and then there's other folks who determine what happens with that after that. They're starting something like that for cyber too, so that there can be a broader, deeper understanding of what happened, what the impact was and then what should be done about it. There's things like that are in the works and there's things that have already been out there for a while. And so there's communication that has to happen.

Say you are hacked and it's a criminal hack and they're asking for money, a ransomware attack. Obviously your IT department's going to be in the throes of trying to figure out, okay, what the heck's gone on? What data is missing? And a lot of times you don't know that for months, honestly. That's a really hard problem to figure out, where they are, what happened, what's been stolen. And so an attribution of that can be really difficult too. Making sure that you know who it was, was it one hacker? Was it multiple hackers? Whatever. You have to have in place already before you get hacked, you have to assume you're going to get hacked because at some point everybody will, it's just probably going to happen. You have to assume you're going to get hacked.

You should have a plan for how you're going to respond to that from a strategic communication perspective, external to your organization and how you're going to respond to your customers, not just stakeholders and shareholders but to your customers and how you're going to respond to the people or talk about it in terms of what has to happen internal to your organization. Because you're going to have a lot of churn and chain in the organization when people have to go to your resiliency plans because their systems and data are no longer available. You have to have all those things in place and what will your policy be on ransomware? And have you coordinated that with your board of directors? Does your board of directors approve that you're going to pay ransom or not? And how much? What do you think your limit is? And do you have insurance for ransomware?

It's interesting. We talked about CNA, they paid ransom after two weeks because it just got too painful for them. They didn't do it right away and oh, by the way, they offer cyber insurance. You would think they would be all over this but they still suffered. It's going to happen. People need to be ready for it and you need to have all that strategic communication sort of kind of ready to go too. What are you doing? What's your response? How are you handling it? What are you doing with your customer data? And you have to be transparent about what you have lost and that will result in lawsuits and it will result in legal things and other fees. And so you have to make sure that you have budgeted for those kind of events because they're not cheap.

Talking to your board of directors. One thing you can do is have your CISO, your information security officer, brief the board as a matter of record on the board in the minutes that it's important that they understand on a quarterly basis when they have their board meetings, what has been done with regard to improving cyber defenses, how are they working to protect customer information and stakeholder information and data and if there is an incident, there should be immediate notification to the board about what was the incident, what you know about it, what the impact is and how you're mitigating the information and then how you're communicating that out. That external reporting and strategic communication is very, very important. It's just you can't wait till it happens till you to start thinking about these kind of things. You have to have your plans in place, ready to execute when they happen because they're going to happen.

Stewart: You mentioned at the top of the show that you work with companies and boards of directors, and I think if you've been in those rooms before, I think it's fair to say that there's a varying level of understanding of cyber risks by board members. How often are the risks that you're laying out for them, how often does that fall on deaf ears? Or is it minimized because there is a fairly significant cost to put up a defense that maybe the board member says, "Ah, I just don't see the risk. This isn't going to happen to us." Do you ever get kind of a skeptical response from a board?

Danelle: Well, I'll tell you, I sit for corporate boards as an independent director and I'm sort of the cyber person in the group normally. And so I bring these issues up and a lot of times they may not understand everything about it but they understand when you're bringing up and you're talking about that cyber oversight risk, what that means. And I do see that they're very engaged on that. Now you kind of have to remind them all the time, not all the time, but depending upon the company, you kind of have to remind them that for example, don't bury the cyber brief in the operations brief at the very end. Bring it out at one of the beginning briefs of your meeting because almost every company nowadays is a cyber company. When you think about it, I remember hearing the CEO of Levi's talk and he said, "I'm a software company that's sells jeans."

That's how people need to think about their information and their data and particularly in an industry like yours, which is data driven. You're not producing a pair of jeans or a product, you're producing policies, it's all information. And so you have to understand that that is existential to your existence. And when you have a breach, you may have the best reputation for years and years and that will be totally gone overnight if your data are breached. It's existential to these organizations and they need to put that kind of level of scrutiny on it.

Additionally, board of directors are being held accountable legally, personally, for breaches and data that they should have provided better oversight for. There's a Caremark case from 1996 that poses a framework for holding these directors personally liable for breaching duty of loyalty and when they fail to appropriately monitor and supervise something in that enterprise and now that enterprise includes cyber. You're seeing increasing challenges to specifically board of directors on an individual level and the directors themselves getting sued for breaches when a company has a data breach. The scrutiny that a board's going to place in the future is going to be way higher than it has been in the past, I suspect.

Stewart: You talked about ransomware a little bit and a ransomware policy. Just in listening to the risk and the actors, it just seems like a big, big problem. Even a company as small as ours, we're a digital media company, we get people beating on our site. Why would anybody be beating on our site, for example? Are they looking for resources? Or I've heard different explanations.

Danelle: What they're looking for is data on your customers and, for example, an insurance company, a hacker will go after even a small insurance company because then what they'll do is, they might not be interested in John Doe's address and Social Security number. What they're interested to know is what companies have bought cybersecurity policies with you, that if they go after those companies, they know they're going to get money because someone's going to enact that policy. For an insurance company that offers cybersecurity products, that's an increasing concern because the hackers are smart enough to know, hey yeah, there's not a big return on investment if I go after Joe Bag of Donuts but if I go after and get the database that includes who all of this insurance company's customers are and who has policies for cybersecurity and where are those policies pay out? Then they'll go after those companies because they know that they have cyber policies, they know they have security and that they know some insurance company's going to pay it. It's for your industry, I think it's even more critical about what would someone do with that information?

Stewart: It's really interesting and a lot of insurance companies offer cyber products and we did an interview in New York on a New York CFA panel and I asked a question about cryptocurrency, is a hot topic. And I asked this panel, "Why would you invest in crypto?" And I don't want to speak for this person but I'll just paraphrase the answer, Geoff Cornell at AIG, he said, they don't invest in crypto but he said the most convincing argument that he's heard is, "Do insurance companies who offer cyber policies, do they need to hold a strategic amount of cryptocurrency to pay claims?" Because it seems that this is a dark, these hackers, they're not public sites. They're hard to find. It doesn't really register with me of how these things can infiltrate your site but it has got to be an unbelievable disruption to a company. And it makes total sense to me that you would want to know who are the policy holders because those people have coverage to pay a ransom, right?

Danelle: Yeah. They'll get targeted. They'll go after them.

Stewart: It's a very interesting point. Just for the sake of it, what is a denial of service attack? Why would I do that? If I'm a cyber criminal or a bad actor, what's a denial of service attack and why would I do it?

Danelle: Well, it's a nondestructive attack. You could have destructive and nondestructive cyberattacks. And what it does is it makes it that, almost think of it like you're flooding something and you can't get to it. A denial of service attack will make somebody's website where thousands and thousands and millions and millions of people are trying to get on once but they're not really people, their bots that the cyber criminalist is having go after your site and it just floods your site so much, it brings your site down, crashes your site. We've been seeing denial of service attacks for example, with Ukraine, what's been going on with Ukraine because those are fairly less sophisticated to execute than implanting some malware on somebody's system and then controlling that malware in and out of that environment.

But a denial of service attack, those are less sophisticated and you can buy tools off the dark web, super easy to do that for three bucks. You know what I mean? You don't need a level of sophistication that's over the top either to be able to execute something like that. You wouldn't see that so much, I don't think, in your industry as someone trying to exfiltrate data or to lock down your data and do that ransomware thing. And when it comes to the ransomware, I think too, the Cybersecurity and Infrastructure Security Agency, CISA, who I mentioned before, they work for they're the cyber element of Department of Homeland Security. They have a whole website called stop ransomware and they have tons of resources. They have, hey, if you've been hit by ransomware, this is what you do. Here's our known catalog of exploitable vulnerabilities so you can protect yourself and close these vulnerabilities by patching your systems and making sure you're taking the right actions to prevent an attack. What are your protection response and services things that you might be able to do?

There are resources out there that are free and that are really good, not just with CISA but with NSA and some other government agencies, the FBI that provide companies some really good advice about what to do to best prepare and to understand your networks. One of the best things a company can do is understand what's normal on your network so that when there's a perturbation, when there's something that happens, people are like, "Hmm, that was weird." You don't just go, "Hmm. That was weird," but you go, "That was weird. Let me look into that yesterday and figure out what it is and let me stalk some traffic coming in and out until I figure out what's going on and make sure it wasn't a malicious activity."

Stewart: It's so interesting. I could talk to you about this forever. When we look at nation state actors or terrorists or criminals or whatever and you had mentioned that the US does both defensive and offensive cyber activities. Is there a, I don't know what you would want to call it, is there a rank order of sophistication? Is it Russia and China at the top of that? You mentioned North Korea. How do we stack up in cyber world versus some of the other nation states? And when I say we, I mean the US.

Danelle: Yeah. No, the US has very capable forces. The United States Cyber Command has actually a whole organization underneath them that does cyber operations on behalf of the nation. And there's six over 6,000 people that are specifically trained just to do this. We're a very capable force and the National Security Agency and other agencies have long been partners with CYBERCOM and working to share our intelligence and do different things like that. And of course you have under the Department of Homeland Security and the FBI, because remember criminal stuff, ransomware, that's under the FBI's jurisdiction. The nation state activity would be under the jurisdiction of the military, should military action be required, whether that's cyber or something else. We have very capable forces. But again, there's a significant investment in cyber from a whole bunch of nations because they see like for example, to build an aircraft carrier, our last aircraft carrier costs more than $13 billion. Well, how much does it cost to build a capable hacker if you're ISIS, for example?

I can buy tools off the dark web for a password cracker for $2.50 or a keystroke logger that logs somebody's keystrokes on the computers for less than 10 bucks or a whole hacking manual for less than 10 bucks or cell phone repeater towers to steal information from that, for maybe 20,000 to 30,000 bucks on the dark web. It's kind of been a big leveler because everybody's stuff is so connected now that you can have an effect in operational and military, a strategic effect, by impacting somebody's information and not just impacting it in the way we talk about ransomware and stealing. But think about misinformation, disinformation. The Russians are masters at that. Look what they did during our election.
You can cause a lot of chaos by instilling uncertainty. For example, someone could start putting things out about your insurance company, X, Y or Z and just saying that they've been hacked and that they're not admitting to it. Now that may be totally false but if they do that, the customer confidence is going to go down. They're going to probably switch insurance companies. There's all sorts of ways that they can be creative on the internet. It's a great leveler for people with evil intentions.

Stewart: You are fascinating and what an amazing. I'll tell you what, we'll post that if it's okay, I'd love to post the link that you mentioned on what sounds like best practices on cyber.

Danelle: Yeah. Just if you go to www.cisa.gov/stopransomware - that's their ransomware site. And they have some other sites like I said, FBI and NSA have sites too.

Stewart: Good. We'll put that up when we post the podcast and I can't thank you enough for being on. We have reached, and Michael's well aware of this question, but you may not be. We've reached the end of our cybersecurity portion of the podcast and this is the ask me anything portion, which I hope you'll go along with.

Danelle: Sure.

Stewart: I want to take you back to a day that I think you'll remember and this is when you first were commissioned into the Navy as an officer and that day I'm sure was memorable. No matter what sort of festivities you may have been involved in the evening before, some sort of celebration, that that day I'm sure that you are bright eyed and bushy tailed on this day of you receiving your commission. And right after you get it, you run into Danelle Barrett today. What would you tell your 21 year old self?

Danelle: Yeah, I think it's kind of amazing because I'm just incredibly lucky to be where I am. The day I was selected for admiral, there were probably 20, when all is said and done, there were probably maybe 20 other people who were just as competitive and just as worthy as me but the wind just happened to blow my way that day. And so I never take for granted how lucky I am. And you can do all the right jobs and all that and still maybe not make captain or not make admiral or whatever you hope to see happen but you can't judge your success in your career by some terminal pay grade or something like that. I always felt, and I still feel it from day one to now, that I judge my success by the people who still come up to me when I happen to be in a military area and they recognize me and they'll say, "Hey, you're the reason I stayed in the Navy," or, "You don't know this but you helped me out. You gave me a second chance when nobody else did."

And so those kind of moments where you touch somebody's life as a leader on an individual personal level, are so much more important than anything you'll ever do anywhere else. I just am really grateful I've had the opportunity to lead a lot of sailors and soldiers and civilians and to be led by really great sailors, soldiers, Marines from everybody, who gave me great lessons and leadership. And I hope that I've taken pieces of them in my little toolkit and passed them along. But that's the kind of thing that my 20 year old self would be to say, "Don't take yourself too seriously. Keep yourself in check with some humility and always be looking to learn to make yourself a better leader because you can pass that on to others."

Stewart: Very good advice. Rear Admiral Danelle Barrett, retired, senior advisor to Academy Securities. Danelle, thanks for being on.

Danelle: Yeah, sure. It was my pleasure. Thank you very much.

Stewart: Thanks for listening. If you have ideas for a podcast, please email us at podcast@insuranceaum.com. My name's Stewart Foley and this is the Insurance AUM Journal podcast.

The InsuranceAUM.com podcast is available on