Q&A with Steve Durbin, Managing Director of ISF
Maurice discusses with Information Security Forum’s Managing Director, Steve Durbin, some of the key challenges businesses face today in terms of cybersecurity, as well as how ISF helps its clients manage those risks.
Maurice Gilbert: What are the most significant risks that businesses face in terms of cybersecurity?
Steve Durbin: I’d say these fit into two categories: risks that prevent the business from pursuing its strategic goals and those that have the potential to do harm to the health of the business, its customers, its shareholders and employees. With both, the challenge is the sheer speed at which the industry is changing; keeping abreast, let alone ahead, of developments is a challenge for the most seasoned cybersecurity professional, and for the business leader, it is almost impossible. So to my first category – the risk is that the business is left behind – it is just unable to cope with the demands of cybersecurity and is distracted from its strategic direction by the need to conform to the latest regulation, implement the most up-to-date tool. To the second point, new cyber threats and risks are emerging on an almost daily basis, and the danger of not having a clear approach to addressing them in terms of protecting your critical business assets is a very real one that can lead to vulnerabilities and exposures.
MG: What are some areas where organizations have blind spots in their security today?
SD: We love tools, we love to track activity, we love to provide information on who is doing what, and we are seduced by the shiniest new toys that will allow us to monitor our networks and “safeguard” our data. And yet, we know that the majority of cyberattacks, hacks and data exfiltration occur because we have not patched our software, we have not sufficiently trained our people, and we have failed to do the basics. So when we talk about eliminating our blind spots, often this must require a return to basics, ensuring that the fundamentals of good cyber hygiene are being fanatically followed across the business, from the boardroom to the loading bay.
MG: What does the latest ISF Threat Horizon report tell you about the current state of threats and what to expect over the next two years?
SD: The Threat Horizon series of reports – we produce them annually – is the only forward-looking assembly of threats that exists today; there is no shortage of detail on what happened yesterday and what you should’ve done to avoid being a victim of the threat or attack, but with cybersecurity changing so rapidly, there is a very clear need to stargaze and accurately predict threats to give business leaders and their cybersecurity counterparts the time and opportunity to put in place mitigating actions that protect the organization.
Specifically, the latest 2020 Threat Horizon report presents nine threats that organizations in all industries and regions can expect to face over the next two to three years. These threats are set out under themes that mirror day-to-day operations. The threats range from nation states, terrorist groups, hackers and hacktivists (who will take advantage of the same technologies that provide exciting opportunities for organizations to expand and drive efficiency, to refine their own cyber weapons) to an increasingly punitive regulatory environment littered with materially significant penalties. The result will be increased instability. To succeed in such a volatile environment, senior business leaders will need to demonstrate their commitment by driving action to counter the threats. Threat Horizon provides a roadmap to navigate this increasingly complex and shifting landscape; it is the business and cyber leaders’ GPS.
MG: What is cyber insurance, and should companies consider it?
SD: Cyber insurance is an insurance product used to protect businesses and individual users from internet-based risks and, more generally, from risks relating to information technology infrastructure and activities. So far, so good. However, the insurance industry typically operates from an actuarial standpoint, using past history to forecast and anticipate risk and, therefore, apply the appropriate cost versus risk analysis that results in a premium being charged.
Predictability is key, and there are very many variables that are taken into account. The challenge with cybersecurity is that the space is characterized by speed of change, lack of predictability and a short (by insurance standards) history upon which to base any risk assessment. Furthermore, there is no such thing as 100 percent security in cyberspace, and we need to pursue cyber resilience as a means of operating effectively in this space.
There is nothing traditional about the risks we encounter by operating in cyberspace. Cyber risk is a growing concern for organizations around the world, as data breaches make headlines with increasing frequency and the resulting financial and reputational costs mount. Cyber risk comes from actions that are accidental or malicious, and it is spreading outward as digital interconnection grows. Yet while the economic and social benefits of this interconnection are often clear and immediate, the risks tend to be opaque and delayed.
Against this backdrop, there will clearly be a desire for companies to try to take out some form of insurance, and cyber insurance meets that demand. But it is not a silver bullet. It doesn’t replace the need for sound cybersecurity practices, and, certainly in my discussions with insurers, the key is establishing two things: the degree of risk being managed and the manner in which that risk is handled and mitigated. So, good practice tends, then, to fall back on the appliance of robust cybersecurity good practice – as outlined in the ISF’s Standard of Good Practice – the compliance with regulations and the adherence to standards. All of these areas can provide guidance and insight into how to best manage risk when operating in a cyber-enabled environment.
MG: What exactly does cyber insurance cover for an organization?
SD: Policies can vary widely from insurer to insurer, but there are two primary areas of coverage to be familiar with: cyber liability insurance and cyber risk insurance. Cyber liability insurance provides cover for liabilities that an organization causes to its customers or to others. A sizeable market exists for these products, and it can cover data breach and crisis management (incident management, investigation, data subject notification, credit monitoring, legal losses and so on), media liability (website defacement for example), extortion liability and network security liability.
Cyber risk insurance is used to cover direct losses to the organization. It is less common not only because insurers still lack meaningful data, but also because many organizations assume that their corporate or general liability policies will cover cyber risk. This may or may not be the case, and it is always worth checking this out. Cyber risk insurance may include some liability coverage, but it can more broadly cover liability, copyright, effects of malicious code, business interruption, cyberattack, technology errors and omissions and intellectual property infringement.
The market continues to develop, and using insurance products to treat cyber risk is an option for many organizations. It is important to note, however, that although insurance will transfer a precise amount of risk to the insurer, there will be cyber risks that cannot be transferred and which an organization will have to deal with outside of any insurance policy.
MG: Do you believe all companies need cyber insurance?
SD: Cyber insurance is certainly one of the ways of handling cyber risk, but as I have said, it doesn’t remove the need for strong cyber resilience, effective cybersecurity policies and practices and an effective in-house risk assessment and management process that is able to effectively quantify and measure the risk of operating in cyber.
MG: How do you see cyber insurance evolving in the next five years?
SD: Inevitably, as insurers gather more data, policies become more tailored and price competitive in certain areas. The industry is still in its infancy, and over the coming years, not only will insurers mature their policies, but buyers will also become more demanding and aware of the specific areas where cyber insurance can provide a very real insurance policy.
A mature market is still some way off, but it is becoming clear what the market is likely to look like. Detailed discussions between buyers and sellers will improve clarity, and as a result, insurance products will become gradually commoditized. Policy wording will evolve through intensive scrutiny, and the frequency and severity of cyber risks will be understood better, allowing for more accurate pricing of risk. A mature cyber insurance market could also foster market-based security metrics that permit risk managers to trade off spending more to mitigate cyber risks with reductions in insurance premiums. This would be true progress and would make treatment of cyber risk an equal partner along with “mitigate, accept and avoid.” It would also significantly enhance organizational risk awareness and management and move cyber risk firmly out of the category of exotic and opaque and into the category of mundane and manageable.
Business risks, both malicious and accidental, are magnified by our growing dependence on cyberspace. This dependence facilitates data breaches on a scale never imagined and represents risk unique to cyberspace. As a result, cyber insurance is increasingly viable and even necessary for organizations of all sizes, and it is worthy of consideration within an organization’s risk treatment processes.
MG: How does ISF meet clients’ needs on this front?
SD: The array and complexity of cybersecurity threats continues to rise significantly, and businesses that do not prepare now will struggle to handle the challenges later. While individual threats continue to pose risk, it is the combination of them, along with the speed at which attacks may be launched, that provide the greatest danger. Enterprises want to take advantage of developing trends in both technology and cyberspace; it makes sound business sense – but to do so, they must manage risks beyond those traditionally handled by the information security function, including attacks on reputation and all manner of technology, from smartphones to industrial control systems. New attacks impact not just technology, but business reputation and shareholder value as well.
Establishing cybersecurity alone is no longer enough. Today, risk management largely focuses on achieving security through the management and control of known risks. The rapid evolution of opportunities and risks in cyberspace is outpacing this approach, and it no longer provides the required protection. Cyber resilience requires recognition that organizations must prepare now to deal with severe impacts from cyber threats that are impossible to predict.
Organizations must extend risk management to include risk resilience in order to manage, respond to and mitigate any negative impacts of cyberspace activity. One key element of building cyber resilience is to establish a governance framework with board-level buy-in for monitoring cyber activities – including monitoring partner collaboration and the risks and obligations associated with operating in cyberspace. Organizations should have a process for analyzing, gathering and sharing cyber intelligence with stakeholders. They also need a process for assessing and adjusting their resilience to the impacts from past, present and future cyberspace activity.
The role of the ISF is to help our members address all of these issues and more in an effective and practical fashion. Our members are corporations – many of the largest in the world – and that provides us with a unique opportunity to work with some of the brightest minds in addressing the challenges of one of the fastest-moving, most dynamic revolutions in industry and ways of working that we have ever seen.
We have to do that in an effective way that delivers real-world value and measurable benefit, and we have to be innovative but mindful that our solutions should also be practical. Increasingly, we have to address the needs of the practitioner, as we have always done, but we also need to address the needs of the business leader as cyber becomes a key strategic issue. So, we must continue to stay in touch with the needs across the whole business in our member organizations and ensure that we continue to occupy that #1 slot on the speed dial not just for the CISO and the CISO’s teams, but also for senior business executives, wherever in the world they happen to be.
Steve Durbin is Managing Director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.