August 19, 2015
I am often asked to describe my dystopian view of how cybersecurity insurance will come to take over information security. I’ve given the pitch numerous times in talks and panels, but it’s never really been captured anywhere, so here it is.
Insurance as a maturity indicator
People see insurance entering into security as a bad thing, and maybe it is, but it should not be unexpected.
If something involves both risk and significant quantities of money, there are likely people trying to buy or sell insurance around it. The car industry is informative here. As is healthcare, and countless other industries.
There are three basic things required for a space to be fully embraced by the insurance industry:
- Significant risk associated with the space, e.g., dying in surgery, getting into a car wreck, etc.
- Adequate money in the form of a population able to pay premiums.
- Sufficient actuarial data on which to base the pricing and payout models.
The automotive and healthcare spaces have all three of these. Information Security only has the first. Companies are just now realizing that they can/should have insurance, and (much worse) we have very little data to build models on.
So things are a bit slow on both sides: companies aren’t yet demanding the protection, and insurers are somewhat cautious on how to provide the coverage in a financially responsible way.
This trend only goes one way
But both of these obstacles are being addressed, either naturally by the passage of time and people realizing they want/need coverage, or explicitly through active research into breach/controls actuarial data.
Once all three conditions are met, InfoSec will become a highly insured industry. It’s an inevitability in the same way that managers and human resources departments are unavoidable in large companies.
Anatomy of insurance-based InfoSec
So what’s this going to look like? How bad will it actually be?
Here are a few things we’ll see happen as a result of insurance becoming more prevalent in infosec:
- Insurance companies will have strict InfoSec standards that will be used to determine how much insurance, of what type, they will extend to a customer, as well as how much they will charge for it
- As you would expect, companies who are deemed to be in poor security health will either pay exorbitant premiums or will be ineligible for coverage altogether
- In this world, auditors become the center of the InfoSec universe. Either working for the insurance companies themselves, or being private contractors that are hired by the insurance companies, these auditors will be paid to thoroughly assess companies’ security posture in order to determine what coverage they’ll be eligible for, and how much it will cost
- Insurance companies become, in other words, a dedicated entity that uses evidence-based decision making to incentivize improved security
- This change will affect the job market as well, with a dominating focus placed on certifications
- If you’re a regular business, you’ll have to have certified people working in approved roles, like a manufacturing job. You won’t be able to have just whoever working whatever job.
- And if you’re an auditing company, you have to employ people who are certified to do exactly the types of audits that they’re doing
- For both internal and audit companies, those certifications will have to be maintained the same way medical professionals have to maintain their knowledge. Not like a CISSP where you lose a credential if you don’t renew it, but where you’re just instantly fired if it lapses
Growing up and acting like other industries
When you think about it, it’s not really insurance that’s making this happen, it’s industry maturity as a whole. It’s InfoSec becoming just like every other serious profession.
Think about a hospital, or an architecture firm. You can’t hire nurses who have an aptitude for caring, and who helped this guy this one time. Nope—have a credential or you can’t work there. Same with accountants, and architects, and electricians, and civil engineers.
And when a certification lapses for a nurse or an electrician, they don’t get told to renew it—they’re just not allowed to work there anymore. And that’s what’s going to happen in security as well.
InfoSec professionals in this new world will need to be certified just to be able to participate in the industry. And they’ll be specifically certified to do certain roles, like monitor logs, make firewall changes, perform security audits, etc.
Not a panacea
We also need to accept that the standardization and insurance agencies won’t fix everything. Auditors make mistakes, companies can and will successfully lie about their controls, certifications only get you so far, and the insurance companies have their own interests that are often in conflict with the goal of increased security.
But the involvement of a data-driven entity that is incentivized to only give coverage to secure organizations will in turn incentivize those companies to improve their security. And requiring certified people to do jobs will probably help as well.
To be clear, I’m not overly enthused about insurance and regulation driving security. Security is a passion for me, and the last thing I want mixed with my passions is mandatory certification and insurance. But despite that visceral reaction I think the maturity of the industry, driven by insurance, is likely to drastically improve security outcomes.
Not because insurance is wonderful, but because our current system is abysmal.
Right now most entities don’t have a sufficiently powerful entity fighting for security in their organization. In too many places the business is about making money, the infosec people are largely told to make the auditors go away and stay quiet, and external forces such as compliance are only marginally effective.
Think of it this way:
Who in the business fights for skyscraper safety?
Nobody. Because building code is government mandated and enforced by certified inspectors. That’s the direction security is heading as well.
Happy and sad
I have to admit that there is a part of me that would be very happy to see a company get fined for not having an up-to-date asset database. Auditors come in and find out you don’t know where your data is? You don’t know what traffic is leaving the network? Your machines are missing a year of patches?
I’m all for the government and/or the insurance agencies penalizing this type of thing.
Seatbelt laws save lives, and soon we’ll have something like seatbelt laws for asset management, firewall rules, and DNS monitoring. And that’s probably a good thing.
Like I said, I’m torn on it.
Security outcomes will surely improve as we move out of the dark ages and towards a world of standardization and insurance. But the sad part is that when you leave the dark ages you don’t just gain the good parts, you also lose something.
We’ll lose the magic.
- Cyberinsurance is now the dominant term for this type of coverage.