This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Break-in Prevention
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Measuring the Role of Risk Transfer in Cybersecurity Management
Security Leadership and ManagementColumns

Measuring the Role of Risk Transfer in Cybersecurity Management

Recent events have catapulted cyber threats from a compartmentalized CISO responsibility to a boardroom discussion about director liability.

surveillance strat
April 1, 2014
Bob Liscouski and David W. White
KEYWORDS business insurance / cyber security insurance / data breach costs / security risk management / security systems
Reprints
No Comments

Recent events have catapulted cyber threats from a compartmentalized CISO responsibility to a boardroom discussion about director liability. How does senior management know when cyber risks are being properly managed?

Many CSOs and CISOs have viewed cyber insurance instruments with indifference since their inception. Arguments against purchasing coverage range from limited insurance scope to a perceived lack of value to confidence that traditional preventive security controls are adequate.

However, cyber insurance purchasing has recently taken hold. The principal driver has been a widespread acknowledgement of privacy breach risk and recognition that insurance solutions for specific exposures present a cost effective and meaningful mitigation tool. Second, as commercial clients increasingly require evidence of cyber insurance as a contractual condition, many firms purchase a policy in order to “check the box” to comply with their client’s acquisition process. Additionally, many boards of both public and private companies have begun advocating for such coverage to fulfill their fiduciary duties.

Organizations increasingly recognize that cyber-risk is no longer limited to the digital domain but now extends across the entire risk spectrum – financial to physical. This new reality requires CSOs/CISOs to partner with their risk management counterparts to execute enterprise-wide cyber-risk strategies that involve integrating surveillance technologies. More importantly, the ultimate goal of a CSO/CISO cannot be to entirely eliminate risk but rather to manage it as effectively as possible. Accomplishing this requires a combination of technological, physical and financial controls. The key is to understand the point of diminishing returns and recognize when resources should be directed to other types of controls. 

Today, much of the available cyber insurance covers privacy and data breach risk, with more limited amounts of coverage available for network business interruption losses and the destruction of intangible assets. There have been some recent positive developments, including coverage for loss of future revenue that results from the negative reputational effects of a cyber event. However, there are growing concerns that traditional insurance coverage (such as property and casualty) requires clarification for cyber-precipitated losses due to the presence of vague “electronic data” exclusions. “Check the box” underwriting approaches will neither identify nor mitigate deficiencies that may facilitate a catastrophic loss.

The good news is that new underwriting approaches and quantification capabilities are being developed that provide enterprise-level insight and give the insurance market confidence in understanding a policyholder’s cyber exposure. This is precipitating the emergence of comprehensive, enterprise-wide cyber policies that include coverage for the policyholder’s own financial losses and costs related to a cyber event, all forms of third-party liability and any cyber-predicated bodily injury or tangible property losses. However, there will be a departure from the current market climate wherein heavy competition among insurance carriers and an abundance of offerings for privacy breach coverage has led to the reality that even firms with sub-par security can procure coverage.

This is exactly where the CSO’s/CISO’s leadership becomes critical to the insurance underwriting process. Insurance underwriters prefer to back companies that exude mature risk management capabilities, and this is especially true for a comprehensive product that covers emerging and dynamic cyber risks. Such strategies must prioritize the organization’s critical assets, align with non-IT protections and provide some quantification that risk is actively being managed and covered. Organizations that demonstrate maturity in attempting to understand their enterprise risk and implement converged surveillance solutions, processes and methodologies that cut across internal hierarchies. Converged security monitoring and surveillance activities are systemic in nature, spanning technology, process and culture.

An engaged leadership team understands that the implementation of converged surveillance systems offers greater domain awareness via improved detection, correlation, prevention and mitigation capabilities that preempt catastrophic losses. Cyber insurance objectively supplements an organization’s converged surveillance activities by offering economic incentives derived from risk management-based feedback mechanisms that are derived from an actively managed enterprise-wide surveillance program. In this manner their organization’s balance sheet is protected from cyber-predicated financial loss.

All industries, across all sectors, currently have the opportunity to demonstrate that the market approach is still the best approach in allowing companies to maintain control of their security environment. If we do not seize this opportunity, the government may decide that regulation is the only approach. If such a regulatory path is pursued, cyber criminals will be among the beneficiaries because regulation can never keep pace with the rapidly evolving threats in cyber space. 

 

About the Columnists: Bob Liscouski is CEO and co-founder of Axio Global LLC, an innovative enterprise cyber risk management firm focused on protecting and preserving the value of companies that are essential to our global economy by providing complete cyber risk mitigation and transfer solutions. He is the former Assistant Secretary for Infrastructure Protection for DHS. David W. White is a founder and senior executive at Axio Global. Previously, White worked in the CERT Program at Carnegie Mellon’s Software Engineering Institute, where he provided technical leadership for a portfolio of cybersecurity and resilience maturity models and frameworks and associated research, diagnostic methods and training. 

Subscribe to Security Magazine

Recent Articles by Bob Liscouski

10 Factors to Assess Your Integrator's Cyber Skills

Using Continuous Evaluation to Thwart Insider Threats

Crowd-Sourced Surveillance: A Public Threat or a Public Service?

Finding the Right Technology to Unlock Cloud and Mobile Surveillance

How to Use Smarter Surveillance to Close Intelligence Gaps

Liscouski-200px

Bob Liscouski has more then 30 years of experience in security and law enforcement, and he is the Executive Vice President of Integrated Strategies Group. Liscouski and ISG have founded four additional firms — Steel City Re, Edge360, Axio Global and Convergent Risk Group.

Related Articles

Changing the Definition of Surveillance in the Age of Converged Risk

How PSIM and Unified Platforms Drive Risk Management

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

cyber network

How to Achieve Cybersecurity with Patience, Love and Bribery

cybersecurity-blog

European Hotel Group Suffers Data Breach Impacting 600,000 Hotels Worldwide

cyber5-900px.jpg

Cybersecurity Workforce Needs to Grow 145% to Close Skills Gap

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing