Today, one of the most common discussions I have is "How do I qualify the cyber security risk to my board?" The security industry is very good at being able to define the type and scale of threats active today, and indeed with projects such as CISP, companies are starting to share intelligence with each other about the attributes of real time attacks they are seeing. Yet, we still have a major hurdle to tackle, which is the business impact that comes from incidents. While we continue to see any breach as a failure we will continue to keep the business impact of an attack a closely guarded secret. Legislation, such as the disclosure laws in the U.S. (which the EU is looking to repeat at some level in the proposed Network and Information Security directive) mandate the disclosure of what personally identifiable data was taken, yet this is not the impact, simply one of the potential catalysts of impact.
For cyber insurance to succeed, underwriters will be looking to build out data to be able to determine likely impact based on business type, security controls and dependencies on IT, such as the information they hold and how they use it. The idea of cyber insurance has floated around for at least a decade but this lack of data has always been the stumbling point.
The long-term vision is that if insurers could validate the potential impact they would start to be the validators of what the appropriate level of security controls are required to make each organisation resilient to its cyber threats, and by applying the relevant security controls they would get an appropriate policy and premium. All of which would help raise the security bar and help businesses qualify the risks and value of their security investment.
If we can show that our security was fit for purpose and was validated by third parties then we could start to turn the corner in being more willing to share business impact metrics in the right circles. However, until we can get underwriters to certify that we have the right controls in place only those that are either regulated or choose to be audited have such standards assessed.
The chicken and the egg - which came first?