Posted by Andrew Rose on May 15, 2012
For many years, security professionals have lived by the three pillars of risk management – AVOID, TREAT, ACCEPT. These great tenets have served the profession well, enabling CISOs to build appropriately secure networks at a tolerable level of cost. Unfortunately, as evidenced by the litany of security breaches we have seen over the past 12 months, it’s clear that the landscape is changing. More than ever before, security is clearly a ‘no-win’ game.
The high profile attackers, state-sponsored or otherwise, are one threat – but it goes deeper than this. The keys to the kingdom are no longer in the hands of the generals and policy makers; their decisions and discussions are enabled by email, IM and IP telephony, all of which sit firmly in the domain of the IT department and system admin – and stressed, poorly paid employees do not make the ideal custodians of such critical information. As an example, Anonymous claims to have access to every classified government database in the US, but they didn’t hack them – disaffected system administrators and employees simply opened the doors for them, or sent them the access codes.
As the broadening gap between our ambitions for a secure enterprise and our abilities to deliver on such a vision become self-evident, the time has come to pay equal attention to the poor cousin of risk management, “TRANSFER.” For many CISOs, risk transference is a topic that is largely theoretical as, even when a task is outsourced, the risk associated with a breach commonly remains with the data owning organisation. Cyber insurance offers a different solution.
Theoretically, cyber insurance can enable a company to experience an information breach and avoid many of the negative financial and reputational impacts. This sounds ideal, yet many CISOs are still reluctant. Could it be the cost of cover, the complexity of getting the right policy or a simple lack of faith that an insurance company will pay-out when the breach actually occurs?
Join me at the Forrester Security Forum in Las Vegas, and subsequently in Paris, where we will be talking about this topic and more. Join in the discussion using the #FSF12 (Las Vegas) and #SFE12 (Paris) hashtags.