Tag Archives: CISO

CISOs, Risk Managers: Better Together

Not so long ago, many chief information security officers (CISO) and other information-security professionals were offended by suggestions that their organizations should buy cyber insurance. After all, CISOs reasoned, if they did their jobs well, insurance would be unnecessary.

Fast forward to 2021. There probably isn’t a single CISO who believes that their organization is immune to potentially devastating cyberattacks. Recent news of alleged Russian penetration of well-protected government agencies and major corporations is one more reminder that any and every organization is vulnerable. Still, many CISOs are skeptical of insurance’s benefits and often are only tangentially involved in cyber insurance decisions.

CISOs are often concerned about perceived gaps in insurance coverage, about underwriting criteria that are misaligned with an organization’s security policies and procedures and about the willingness of insurers to pay claims. Some concerns are valid. For example, if an organization’s hardware is damaged by a malware attack, not every policy provides “bricking coverage,” which pays to replace impaired equipment. However, many CISOs’ concerns are based on now-outdated policy language and underwriting and claims practices. As cyber insurance has matured, underwriters are offering broader coverage with less burdensome underwriting requirements. Rather than avoiding claims, insurers are often trusted partners in responding to cyber events and managing their consequences.

Cyber insurance coverage may be more expansive now, but insurance buyers must still ensure that the protection they purchase is adequate and appropriate for their organization and its specific risk profile. In most large organizations, the risk manager buys cyber insurance. However, risk managers are rarely experts in network security and may not fully understand their organization’s cyber risk profile and control environment. This may result in purchasing insurance that does not adequately cover significant exposures, while over-insuring low-priority or well-managed risks. To ensure that cyber insurance aligns with the organization’s risk management needs, risk managers need to work with a broker who specializes in this type of coverage offering. Additionally, the risk manager and the broker need to include the CISO in the buying process. 

CISOs and risk managers have a common mission — to protect the assets of their organization. In many organizations, they haven’t effectively collaborated — along with their broker and carrier partners — to achieve their common goals. Even when insurance is recognized as an essential part of the overall cyber risk management strategy, organizational silos, the lack of a common risk vocabulary and differences in risk management frameworks can impede cooperation.

According to a SANS Institute report, Bridging the Insurance/Infosec Gap, “InfoSec and insurance professionals acknowledge they do not speak the same language when defining and quantifying risk, leading to different expectations, actions and justification for outcomes.”

The SANS Institute does not offer a one-size-fits-all solution for closing the gap. Within an organization, successful coordination and cooperation depend on corporate culture, institutional obstacles and how motivated CISOs and risk managers are to cooperate on their common goal.

See also: How Risk Managers Must Adapt to COVID

A coordinated approach is more essential today than ever before. With so many employees working from home during the COVID-19 pandemic, using their personal networks and often their own equipment, IT departments and security professionals struggle to ensure network security. A survey of 250 CISOs by Resilience (named Arceo at the time of the study) found that cloud usage, personal devices usage and unvetted apps or platforms posed the most significant threats during this period of increased telework. 

With so many factors outside the direct control of IT and information-security professionals, insurance becomes essential. But cyber insurance policies can materially vary, and not all insurers offer enough of the right coverage to satisfy an organization’s risk-transfer requirements. Once the corporate risk management and information-security functions are aligned, a broker can help navigate the universe of cyber insurance and help the client understand nuances in policy language to satisfy the organization’s risk-transfer requirements.

The outcome is an integrated program where insurance from secure and knowledgeable carriers is fully aligned with the organization’s risk profile and information-security strategy.

How CISOs Are Responding to COVID

Since the stay-at-home orders first started in March, chief information security officers (CISOs) have been sharing both their horror stories and how they’ve shifted priorities to keep their companies safe. These CISOs work in a wide variety of companies, and the anecdotes we’ve been hearing run the gamut. 

Changes are happening in how CISOs make decisions, so, in line with Arceo’s mission of driving comprehensive cybersecurity management, we wanted to look at how the rapid expansion of remote work is affecting cybersecurity business decisions directly.

We collected one of the first sets of quantitative data on how CISOs’ priorities have changed since many businesses started moving to work from home. With our research partner, Wakefield, we surveyed 250 CISOs at companies with $250 million to $2 billion in annual revenue. We asked them about their current and changing approach to cybersecurity risk management. Below is a synopsis of some of the results we found most interesting; the full report is available on our website.

Many CISOs say they need more options and coverage for cybersecurity insurance. However, they aren’t getting the coverage they need or the post-breach services required to recover from certain incidents. Almost four-in-five (77%) reported that there are incidents they feel they need coverage for, but that they are unable to get it. 

Additionally, nearly all (96%) of the CISOs surveyed want additional coverage for the increased vulnerabilities resulting from the work-from-home surge. This means that almost every CISO out there is worried — likely because the security practices followed when working remotely are laxer than those followed in the office, leading to a higher risk of attack. In fact, over 40% of CISOs said that cloud usage (49%), personal devices usage (45%) and unvetted apps or platforms (41%) usage posed the biggest threats during this work-from-home period.

The overwhelming majority (88%) of CISOs are not completely satisfied with the performance of their company’s primary insurance brokerage. Additionally, CISOs want more help when they need it most. Nearly all CISOs (98%) want additional support from their cyber insurance provider after a serious incident. 

Nearly half of all CISOs (48%) report they have experienced a security breach. Insurers and brokers need to step up and are likely in a position to play a bigger role in the prevention and the aftermath of a breach because nine in 10 CISOs are open to purchasing cybersecurity tools along with cyber insurance from the same company. 

See also: COVID-19: The Long Slog Ahead

Now more than ever it seems CISOs seem to be concerned about disruption to continuity, which is a greater risk as staff works from home. More than half of CISOs want cyber insurance to cover business email compromise (56%), loss of electronic data (55%), cyber extortion (53%) and ransomware (52%). 

CISOs recognize they need more influence, and nearly all CISOs (97%) agree that the opportunity to interact with the board is crucial to their success as a CISO. 

Check out the full “Quantitative Analysis of Unmet Insurance Needs and Cyber Security Tools Among CISOs” report to find out more about how CISOs view the changing landscape and how cyber insurance needs to adjust to fit their needs.

IT Security: A Major Threat for Insurers

As the insurance industry changes in response to continued digitalization, IT leaders must continue to maintain and improve their ability to protect confidential data and customer information. While technological advances can streamline processes, they can also open the door for potential risks. Modern digital systems and procedures must be completely secure for agents and insureds to trust them, and to protect the companies from liability.

In a recent Novarica study, we found that insurers are enhancing security capabilities across the board. Nearly half of those we spoke to are enhancing capabilities in intrusion detection, application security and data encryption. Fewer insurers are enhancing their intrusion detection capabilities in 2017 than in 2016, but they remain among the most basic elements of IT security, and a critical component in ensuring a rapid response to any breaches. Most insurers have also already put in place application security measures to prevent security gaps, though this is an area that needs continual investment to stay current against evolving threats. And larger insurers are more likely than mid-sized insurers to be planning enhancements for data encryption capabilities. However, some midsize insurers are planning to pilot and launch encryption capabilities, in part due to encryption requirements within the New York State cybersecurity law and NAIC cybersecurity draft.

See also: 10 Cyber Security Predictions for 2017

Carriers still plan to enhance audits and procedures, but the volume focus has dropped somewhat in this area due to high investment in 2016, when many insurers adopted NIST for the first time. IT security is as much a matter of practices and monitoring as it is of technology. In fact, from a CIO resource perspective, audits and procedures are often more expensive than technology. Processes need to be created to evaluate all aspects of security management and determine the process maturity. These processes need to be independently validated through a combination of sampling, gathering statistics from tools and holding discussions with people responsible for those procedures.

We also see some activity when it comes to security frameworks and regulations. Insurers are preparing for new regulations, with some taking a “wait and see” approach to recently loosened New York State cybersecurity regulations. However, the New York State regulations or the NAIC cybersecurity model law will be replicated across all of the states over the next two to three years. Carriers need to monitor the developments in this area and ensure compliance to minimize fines and reputational damage.

In terms of frameworks, we see a slight increase in the adoption rate for NIST, from 60% to 70%, and a lower rate of 60% for SSE-CMM. NIST is a framework that uses business drivers to guide cybersecurity activities, and supplements activities related to SSE-CMM, as it covers all aspects of an organization’s processes. SSE-CMM assesses an organization’s maturity with regard to secure software development. Many insurers seem to prefer NIST over the SSE-CMM framework, and very few insurers are relying on other formal frameworks like COBIT, ITIL and the NYS regulation framework.

While more insurers choose to adopt NIST over other frameworks, adoption of formal frameworks is growing across the board. To ensure data protection across the enterprise, insurers can rely on frameworks to assess security risks. The organization must ensure that the software it builds or that is built on its behalf is secure and does not open up a security exposure. One good way to determine if the process of software development creates secure applications is to look at the security maturity of that process. The SSE-CMM is the way to assess this, but it does not go far enough. A full risk management framework needs to be applied to the firm to augment its other operational risk assessments. The NIST framework, developed in 2014, is becoming the standard for all insurers to assess digital and operational security risks in a structured way and to develop a road map to improve their cyber-security practices.

See also: Paradigm Shift on Cyber Security  

Most large insurers have a mature IT security function, with a dedicated organization led by a chief information security officer. But for smaller companies, dedicating resources and building competency in this area can be challenging. What is more, IT security is still seen as a lower priority for CIOs and mid-level managers. Less than 10% of an insurer’s IT budget is typically focused on security. In some cases, especially in mid-sized and small carriers, basic capabilities like penetration testing, ethical hacking programs and mandatory security training are lacking. Additionally, many carriers do not have a dedicated security executive like a CISO. Insurers must ensure that they understand their challenges and options, prioritize their investments and plan their responses to security incidents.

Cyber Rules May Be Only Weeks Away

Last September, New York’s Department of Financial Services (DFS) took a major step forward in its efforts to improve the cybersecurity posture of financial institutions (including banks and insurance companies) by proposing the first-in-country cybersecurity regulations.  By any measure, the proposed regulations are comprehensive and demanding, and admittedly are intended by DFS to be “groundbreaking.”  The proposal contains a number of prescriptive requirements that are substantially more rigorous than current best practices and would require major operational changes for many organizations.

Key Components  

The regulations would require entities to fulfill a variety of requirements, including the establishment of a cybersecurity program, and the adoption of a cybersecurity policy, which must be approved by the board or by a senior officer, and which encompasses key risk areas including information security, access controls, business continuity, data privacy, vendor management and incident response.

See also: If the Regulations Don’t Fit, You Must…  

The proposal would also require covered entities to designate a chief information security officer (CISO), who will be responsible for implementing, overseeing and enforcing the cybersecurity program and policy. The CISO would need to develop a report, at least bi-annually, that addresses a prescribed list of issues. The report would then be presented directly to the company’s board. The board chair or a senior office would be required to submit an annual certification of compliance with the regulations, which might expose the individual to liability if the entity is, in fact, noncompliant.

In addition, the proposed regulations broadly define a “cybersecurity event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.” The covered entity would be required to notify the superintendent of financial services within 72 hours of any such event if it “has the reasonable likelihood of materially affecting the normal operation of the covered entity or that affects nonpublic information.” This raises the question of how an unsuccessful attack could ever have a reasonable likelihood of materially affecting operations or protected information. But a fair reading of the reporting mandate in light of the definition would not appear to allow for blanket disregard of failed attacks, even though major financial institutions thwart countless potentially devastating attacks on a daily basis. If this proposed requirement becomes part of the final regulation, the burden on covered entities and the DFS itself may be quite substantial.

Covered entities also would need to encrypt nonpublic information in transit and at rest. Although compensating controls approved by the CISO can be used if encryption is not currently feasible, the regulations would impose deadlines of January 2018 and January 2022 for encryption of data in transit and at rest, respectively. Encryption of at-rest data is likely to be one of the most challenging DFS requirements.

The proposed regulations contain many additional requirements, including:

  • Implement a fully documented incident response plan;
  • Maintain audit logs on system changes for six years;
  • Annually review and approve all policies and procedures:
  • Dispose of, in a timely manner, sensitive information that is not needed to provide services;
  • Use multi-factor authentication for privileged access to database servers that allow access to nonpublic information;
  • Adopt policies, procedures and controls to monitor authorized users and detect unauthorized access; and
  • Institute mandatory cybersecurity awareness training for all personnel.

See also: Huge Cyber Blind Spot for Many Firms

DFS is currently reviewing comments received from the public, but it is not known if the proposed requirements will change in any material way when they go into effect on the anticipated date of Jan. 1, 2017. Covered entities would then have only 180 days to comply with many requirements.

Concluding Thoughts 

Although large financial institutions may already have implemented a number of the mandates proposed by DFS, compliance still may be problematic for them because of the prescriptive nature of many of the components of the proposed regulations. And less mature entities would be well served to immediately focus on getting into compliance with the most basic requirements, given their virtually inevitable inclusion in the final regulations and the short deadline for compliance.

Predictive Tech Can Preempt Cyber Threats

In the ever-evolving landscape of cyber threats, for many organizations, simple detection and remediation is no longer enough. Some cybersecurity companies are now going one step further-providing predictive intelligence that can preempt threats.

In September, Triumfant became the latest to enter this growing field, through a partnership with Booz Allen Hamilton.

“If you’re just offering prevention, you don’t have a complete product. If you have detection and remediation, you’re getting closer,” Triumfant CEO John Prisco says. “When you add predictability, you’re starting to get a fairly robust treatment of the problem.”

More: How data-mining boosts network defense

Triumfant, founded in 2002, has been evolving in the way it provides endpoint protection. The latest iteration of its AtomicEye platform integrates Booz Allen’s capabilities to reverse engineer an attack with the goal of attribution-looking for the source of the attack-and threat prediction.

“(Booz Allen) will accept the malware from us, detonate it in their lab and reverse engineer it,” Prisco says. “They’ll then use the information they have to try and determine attribution.”

Although not all clients are interested in attribution, the capability is built into AtomicEye so files can be easily collected for the Booz Allen lab.

The AtomicEye platform detects malware by analyzing the computer’s patterns against an established blueprint-an atomic fingerprint based on upward of a million data points that were collected previously to establish the baseline. Once malware is detected, the computer’s operator clicks on a button to remediate the attack.

The offending file can be checked against threat intelligence databases, and, if it’s not listed, that indicates the likelihood of a zero-day attack. The Triumfant platform becomes essentially a filter for potential future analysis.

“If it doesn’t exist in the database, then it’s a real candidate for Booz Allen to do analytical work on it,” Prisco says.

Randy Hayes, Booz Allen Hamilton vice president, says his company is “uniquely qualified to deconstruct the threat in the lab” because it has been providing advanced malware analysis to the U.S. government for years. Booz Allen can use that experience to do things that no one can replicate for getting more actionable threat intelligence, according to Hayes.

“One of the biggest problems with cybersecurity right now is that there is too much focus on technology and automated solutions,” he says. “What we need instead is more intelligence tradecraft to include more mathematics around behavioral analytics, which is what Triumfant does.”

Prisco says what makes his company different in the threat intelligence space is the approach.

He says that typically, threat intelligence platforms would scan a computer for known offenders to see if those types of files exist on the machine. But because there could be millions of files uploaded to the cloud-based threat-intelligent platforms, scanning a computer for all of them would essentially make the machine inoperable, so the platform may scan for a select number.

He points out that’s why, in a recent data breach report, Verizon was critical of threat intelligence platforms.

“It’s difficult to get all the threat intelligence in the cloud fast enough to make a difference,” he says.

AtomicEye, instead, detects the offensive file first, then scans it against the threat-intelligence database.

“That’s much easier to do,” Prisco says. “We’re not trying to burden each computer and scan for each problem.”

In other words, instead of using the typical signature-based detection, Triumfant uses statistical anomaly analysis to find malware.

“For a long time, the industry has been looking at malware variety and zero-day malware, trying to detonate, categorize and understand to enrich cyber intelligence,” Hayes says. “However, because Triumfant’s AtomicEye… is able to isolate and discover behaviors that would indicate the presence of malware on the network, we anticipate being able to get more actionable threat intelligence out to consumers.”

In 2012, Gartner forecast that predictive analytics was the future of business intelligence, fueled by big data. In 2014, the research company said big data analytics would play a critical role in cybersecurity, as well.

Hayes says he’s noticed a shift since that report came out in the way CSOs and CISOs are thinking-moving from post-incident to pre-incident threat intelligence.

He says the trend is in its infancy and has a long way to go “before it is fully baked,” but it could help slightly close the gap the bad actors maintain over the good actors.

Part of the advantage of this approach is the strategic analysis that can help anticipate attacks.

“Human beings launch these attacks, not robots,” he says. “If we focus on who is pulling the trigger, the motivation, the target and the intent, we will have a better chance of mitigating the impact of the attack. We need to shift the focus from the ‘bullets’ to the adversary and its target.”