It seems no matter how hard enterprises try, no matter what investments in security controls and processes they make, and no matter how much they strive to harden their systems, data breaches, data manipulation, cyber extortion and other attacks on availability are going to happen. Just like taking precautions to protect themselves from fraud and theft, or natural disasters like hurricanes, tornados, earthquakes and fires. Industry takes steps to mitigate these risks, but can’t eliminate these risks. Cybersecurity is much the same.
Cybersecurity insurance can help fill that gap, just as it does when it comes to other types of risk that can be managed, but not eliminated. To get some answers on how some in the security community view the potential role of cybersecurity insurance, we reached out to Chris Blask, actively involved with a wide range of domestic and international efforts. He is Founder and CEO of ICS Cybersecurity, Inc.; Chair of the Industrial Control System Information Sharing and Analysis Center (ICS-ISAC) and adviser to several information security companies.
Blask contends that cybersecurity insurance can actually help enterprises better manage cybersecurity risks. And more enterprises are agreeing with him. In the story "Survey says enterprises are stepping up their security game", I covered how cybersecurity insurance is one of the fastest-growing segments in insurance, with 59 percent of survey respondents purchasing some level of cybersecurity insurance. PwC also forecasts the global cyber insurance market will grow from $2.5 billion this year to $7.5 billion by 2020. Cybersecurity policies commonly cover aspects of risk of data destruction to forensic investigations and data restoration services.
A lot of security professionals contend that they can't do their jobs effectively unless there is executive sponsorship for their security programs. They need someone championing what they're trying to do to get security baked earlier into the development process, into the deployment and technology selection processes, and the budget security teams need.
No organization is going to get that kind of executive championship without a certain amount of executive education and awareness building on the need. You don’t think this hasn’t been working, and contend that cybersecurity insurance can get better security needs and spending alignment?
To an extent. The reality is that I can be the executive of a manufacturer and not have the first clue of how the fire door technology and fire suppression systems work. But if I know that it will cost me $10 million to transfer this risk, or I can't transfer fire risk at all, or it will cost me $1 million to reduce the cost to transfer risk by $6 million. Knowing this, I can make rational decisions. It just breaks risk down into pure financials. Executives deal with the vast majority of the details of their businesses like this. There is no way they're going to know the specificity of whatever it is, just a breakdown of the economic options.
If you follow this premise, we need rational decisions about security. You end up in that executive suite again. How does an executive make decisions about things that they don't understand? The primary way is by having someone else who studies this stuff a lot help them to price their risk.
"I'll make a bet on you. You pay me $1 million a year, I'll give you a half a billion dollars of coverage as long as you do these X things."
In this example, the insurers studied the security risks. They have the actuarial data. They know that people that put in fire doors of a certain type are 11% less likely to have a given fire incident, and so on.
Now the executive can decide whether the security controls that they are considering mitigate the risk enough to invest in, based on its impact on insurance rates. When insurance gets involved, you get to this straightforward financial decision when it comes to risk management. We always come back to the need to educate the executives about cybersecurity risk. But our approach so far has been explaining technical details to them.
What we need is to have someone else explain costs and risks to them. And historically, in everything, virtually everything, that's something insurance does. Insurance requires actuarial data so they can make intelligent choices, they can manage their risks and set the costs. This way the executives don’t need to know anything about security. They talk to their insurance agent. The insurance agent asks them some questions: How are you doing things? Well, if you keep oily rags piled next to the furnace, you are going to have to rectify that situation or the policy is going to cost you 10 times what you would pay otherwise.
Do you think the type of executive security awareness building, driven by the CISO or a security architect who is arguing that they need a bigger budget to invest into certain security controls so that they are not breached is a waste of time?
This is the historical approach everybody in our industry has been pushing forever, and there are two problems with it. The first problem is that you're begging for funding. You're going to executives and saying, "I need to insert cost and complexity into your life, Mr. or Ms. Executive, for these very, very good reasons. Let me explain them all to you, in horrifying detail."
The second problem is that we are frequently wrong in our arguments. We're not wrong because we're idiots. We're wrong because we as an industry have absolutely no empirical reason to assert that any particular protective measure has any particular empirical value. Without the rigorous statistical analysis of something like insurance actuarial data, we don't actually know if the things we ask executives to support are the most useful things to do.
I could challenge that view, the way I assume a lot of folks would challenge that view, and say that it's obvious that encrypting communications from my web browser or my end point to my brokerage account is a good thing, otherwise ...
Maybe it makes a difference, maybe it doesn’t, depending on how well secured your endpoint is and how well secured the servers on the other end are. The first thing you need to do is build better walls, put a better door in and then look at how you lock the door. The encryption example is a perfect one. Should you do that? Arguably yes. But if I can just hack your computer easily or the database that the information is going to, encrypting the middle doesn't make a bit of difference. Not only that, it's the wrong thing to do because you should have taken that same resource, that same time and money, and secured the endpoints first. That's where the bad guys are going to go.
You need to do all of that, and you would hope that you would do all that, but when you're dealing with an intelligent adversary, a lot of it is economics and it's about raising costs of the attack, and encryption does that. Good authentication does that and solid application development does that. If you do these things, you are going to raise the cost for an attacker to attack you.
The problem is, though, that you have to do all of them. If you do all the things that we've thought of and we haven't thought of something, again, you haven't done anything. You are still at risk of a big breach. This is where insurance and its processes to establish rational decision-making are critical.
How does insurance help with the rational decision making?
The reason we as a security industry are so often wrong about these things is it's all been based on expert opinion instead of based on gray suit and tie, boring actuarial data where someone has actually done ongoing surveys and learned that of those 6,000 small credit unions of those who were breached all had certain things in common, and of those that had not had a big breach had these different things in common. The second group has a lower instance of data breach damage, which is associated with a given monetary risk.
Currently we don't know any of this. All we know, the only metrics we have, is that someone was PCI DSS compliant and they were still hacked. Or, they had technology ABC and they were hacked. The insurance industry has to quantify all of this if we are to manage cybersecurity risk. This is what they do. And the last couple of years there has been more and more efforts in the insurance industry to figure this all out.
Excellent. To put a fine point on it, how does going through the cyber security insurance process help to sharpen the security tool set and processes in the typical enterprise?
It does a couple things. It puts a rational context on the decision being made on what the risk is. Instead of doing what we've always done, which is some smart person lower down in the corporate stack says: "Wow! That's a really neat technology or process, and we should do that." Having that same person be provided greater visibility, provided by a quantitative analysis, that reveals that while that technology is neat, it's less important to the organization over the next 18 months than doing some other process improvement. This is the best way to educate the executives.
Why hasn't regulatory mandates and compliance efforts like PCI DSS or HIPAA forced the kind of decision-making and awareness execs need?
It is hard to force good actions by regulating them, and our industry has not yet done the analytic review of itself. We won't try to solve that first problem here, but the second one is solved by insurance. They are motivated to put significant resources behind analysis of the industry. At the moment this consists of gathering what existing historical data is available, but it is beginning to include fresh data reported to insurers whose policies require such reporting from clients. The volume of empirical data points gathered under this process will come to be the primary whetstone we all sharpen plans and products against.
Why have third parties and partners, in their due diligence risk reviews not done better at forcing better risk management and decision-making?
Same answers as before, really. It's always challenging for third parties to help enterprises make good decisions, and the recommendations our industry provides to date have not been backed by empirical evidence. We haven't been doing this whole digital communications thing for very long compared with traditional risks like maritime or real estate. We haven't had time to stop and measure our results.
Insurance companies are all about measurement.