During last week’s COSAC conference I had an interesting discussion with one of the other delegates regarding the state of information security.  We lamented the fact that the various options tried by the industry to improve security have failed. 

Technology is failing us, as soon as we have a solution in place the bad guys bypass it.  Not to mention that most security software have their own vulnerabilities, as highlighted in my post “He who lives by the sword, dies by the sword” where I show that 144 vulnerabilities have been reported in security software between 1st January and 1st June 2007.

Security Awareness initiatives have failed.  No matter how many times we tell people, they will still click on an attachment or a link in an email they were not expecting.

Compliance also seems to be failing us.  We hoped that compliance would improve security but it seems the truth is companies are more concerned about being compliant rather than being secure.  So compliance seems to have given us checklist security resulting in compliance not equating to security.

It was then that I suggested insurance companies could improve computer security.  In the real world, a business very often cannot get insurance unless they comply to a list of security requirements imposed on them by their insurance company.  So companies end up installing alarm systems, sometimes with 24×7 monitoring, improved locks on their doors and windows and fire detection and prevention systems.  Depending on the risk exposure facing the company they may also have to deploy additional security solutions such as CCTV, security guards etc. as stipulated by the insurance company.  In addition, all of these systems have to be certified to a certain industry standard, installed and maintained by trained and qualified personnel.  So in the real world would companies go to this extent of investing in physical security?  I argue that no they wouldn’t! They have to do so in order to get insurance, without which they probably could not do business.

With the increasing risk exposure companies face in cyber security and increasing financial risks posed by potential litigation, non-compliance to standards such as PCI DSS and loss of revenue due to breaches, how long will it be before the insurance industry gets a good handle on this aspect of business and start offering insurance in this area?  Then how long will it be before a company wishing to conduct business online will only be able to do so after having to take out a cyber insurance policy?  Which in turn will force these companies to implement security to protect their assets in accordance with the insurance company’s risk assessment.

Insurance companies have been accessing risks for decades and are experts in this area.  So if you want to get a free risk assessment simply ask an insurance company to quote you for cyber insurance and take the results of that assessment.  Of course you can only do this once

Though as my colleague at COSAC did point out, insurance is where you get payment in the event of something that might happen, e.g. fire insurance, whereas assurance is where you get payment when something will happen, e.g. life assurance.  So given the state of our current information security landscape and where we expect at some stage to have a security incident, maybe we should look for cybersecurity assurance rather than cybersecurity insurance?

So do you think the introduction of cybersecurity insurance will help improve the state of information security or will it simply be another false hope?  Let me know what you think within the comments.