Surveillance Strategies / Security Leadership and Management / Columns

Measuring the Role of Risk Transfer in Cybersecurity Management

Recent events have catapulted cyber threats from a compartmentalized CISO responsibility to a boardroom discussion about director liability.

Recent events have catapulted cyber threats from a compartmentalized CISO responsibility to a boardroom discussion about director liability. How does senior management know when cyber risks are being properly managed?

Many CSOs and CISOs have viewed cyber insurance instruments with indifference since their inception. Arguments against purchasing coverage range from limited insurance scope to a perceived lack of value to confidence that traditional preventive security controls are adequate.

However, cyber insurance purchasing has recently taken hold. The principal driver has been a widespread acknowledgement of privacy breach risk and recognition that insurance solutions for specific exposures present a cost effective and meaningful mitigation tool. Second, as commercial clients increasingly require evidence of cyber insurance as a contractual condition, many firms purchase a policy in order to “check the box” to comply with their client’s acquisition process. Additionally, many boards of both public and private companies have begun advocating for such coverage to fulfill their fiduciary duties.

Organizations increasingly recognize that cyber-risk is no longer limited to the digital domain but now extends across the entire risk spectrum – financial to physical. This new reality requires CSOs/CISOs to partner with their risk management counterparts to execute enterprise-wide cyber-risk strategies that involve integrating surveillance technologies. More importantly, the ultimate goal of a CSO/CISO cannot be to entirely eliminate risk but rather to manage it as effectively as possible. Accomplishing this requires a combination of technological, physical and financial controls. The key is to understand the point of diminishing returns and recognize when resources should be directed to other types of controls. 

Today, much of the available cyber insurance covers privacy and data breach risk, with more limited amounts of coverage available for network business interruption losses and the destruction of intangible assets. There have been some recent positive developments, including coverage for loss of future revenue that results from the negative reputational effects of a cyber event. However, there are growing concerns that traditional insurance coverage (such as property and casualty) requires clarification for cyber-precipitated losses due to the presence of vague “electronic data” exclusions. “Check the box” underwriting approaches will neither identify nor mitigate deficiencies that may facilitate a catastrophic loss.

The good news is that new underwriting approaches and quantification capabilities are being developed that provide enterprise-level insight and give the insurance market confidence in understanding a policyholder’s cyber exposure. This is precipitating the emergence of comprehensive, enterprise-wide cyber policies that include coverage for the policyholder’s own financial losses and costs related to a cyber event, all forms of third-party liability and any cyber-predicated bodily injury or tangible property losses. However, there will be a departure from the current market climate wherein heavy competition among insurance carriers and an abundance of offerings for privacy breach coverage has led to the reality that even firms with sub-par security can procure coverage.

This is exactly where the CSO’s/CISO’s leadership becomes critical to the insurance underwriting process. Insurance underwriters prefer to back companies that exude mature risk management capabilities, and this is especially true for a comprehensive product that covers emerging and dynamic cyber risks. Such strategies must prioritize the organization’s critical assets, align with non-IT protections and provide some quantification that risk is actively being managed and covered. Organizations that demonstrate maturity in attempting to understand their enterprise risk and implement converged surveillance solutions, processes and methodologies that cut across internal hierarchies. Converged security monitoring and surveillance activities are systemic in nature, spanning technology, process and culture.

An engaged leadership team understands that the implementation of converged surveillance systems offers greater domain awareness via improved detection, correlation, prevention and mitigation capabilities that preempt catastrophic losses. Cyber insurance objectively supplements an organization’s converged surveillance activities by offering economic incentives derived from risk management-based feedback mechanisms that are derived from an actively managed enterprise-wide surveillance program. In this manner their organization’s balance sheet is protected from cyber-predicated financial loss.

All industries, across all sectors, currently have the opportunity to demonstrate that the market approach is still the best approach in allowing companies to maintain control of their security environment. If we do not seize this opportunity, the government may decide that regulation is the only approach. If such a regulatory path is pursued, cyber criminals will be among the beneficiaries because regulation can never keep pace with the rapidly evolving threats in cyber space. 

 

About the Columnists: Bob Liscouski is CEO and co-founder of Axio Global LLC, an innovative enterprise cyber risk management firm focused on protecting and preserving the value of companies that are essential to our global economy by providing complete cyber risk mitigation and transfer solutions. He is the former Assistant Secretary for Infrastructure Protection for DHS. David W. White is a founder and senior executive at Axio Global. Previously, White worked in the CERT Program at Carnegie Mellon’s Software Engineering Institute, where he provided technical leadership for a portfolio of cybersecurity and resilience maturity models and frameworks and associated research, diagnostic methods and training. 

Did you enjoy this article? Click here to subscribe to Security Magazine. 

Recent Articles by Robert Liscouski

You must login or register in order to post a comment.

Multimedia

Videos

Image Galleries

ASIS 2013 Product Preview

ASIS International 59th Annual Seminar and Exhibits, September 24-27 in Chicago, Illinois, will include an exhibit hall packed with innovative security solutions. Here are some of the products that will be shown at ASIS this year.

Podcasts

Virtualization and Data Center Security: What You Need to Know for 2014

Data centers are increasingly becoming the center of the enterprise, and data center and cyber security is following the same path for security departments. According to Justin Flynn, a consultant at the Burwood Group, the virtualization of data centers allows enterprises to scale more easily and faster, with a smaller footprint.

However, hosting enterprise data in the cloud can make intrusion detection more difficult – how can enterprise security leaders team up with other departments to keep aware of cyber risks and traffic, and physical and data compliance during the virtual transition? How can CISOs and CSOs discuss cyber threats with the C-Suite to get the resources they need? And how can the proper infrastructure test and verify possible malicious attacks? 

More Podcasts

Security Magazine

September 2014

2014 September

In the September issue of Security Magazine, find out who this year's most influential people are in the security industry are. Also, take a peek at the technology products that ASIS 2014 will be showcasing at the upcoming event. Read about the lessons learned from security at the World Cup, find out why tactical medical training is a must for your enterprise and how Atlanta increased security by sharing surveillance.
Table Of Contents Subscribe

Adopting New Technology

How long do you wait before adopting a new technology?
View Results Poll Archive

THE SECURITY STORE

comptiahighriseproductphoto
CompTIA Security+ Certification Study Guide
CompTIA's Security+ certification is a globally-recognized, vendor neutral exam that has helped over 60,000 IT professionals reach further and higher in their careers. The current Security+ exam (SY0-201) focuses more on being able to deal with security issues rather than just identifying them.
More Products

Clear Seas Research

Clear Seas ResearchWith access to over one million professionals and more than 60 industry-specific publications,Clear Seas Research offers relevant insights from those who know your industry best. Let us customize a market research solution that exceeds your marketing goals.

Vertical Sector Focus: Critical Infrastructures

criticalhomepagethumbFrom terrorism to vandalism, it’s preparedness, response, training and partnerships. Learn about some of the critical security issues facing this sector.

Visit the Critical Infrastructure page to read more.  

STAY CONNECTED

Facebook 40px 2-12-13 Twitter logo 40px 2-12-13  YouTube  LinkedIn logo 40px 2-12-13Google+