Bejtlich slammed out a bunch of posts late last week which I’m still wading through. Excellent food for thought for a whole week or more! I just wanted to jot a few thoughts of my own down, fairly unformulated ideas…
Cyberinsurance. It really does make sense on paper, no? And it’s one of those things we look towards like the sun peeking from the clouds in the distance as we’re still getting poured down upon; there is an end!
Sadly, it’s not a perfect solution. IT is spendy. Unlike fire insurance measures which may just include inheriting whatever the builders built plus marking exits with placards and posting occassional fire extinguishers, we inherit insecure building blocks and have to do a hell of a lot more to detect and monitor while also providing IT services to the business. That’s a very different magnitude.
Fires happen, but not very often. Cyber attacks may not happen to your business very often either, if at all, but they certainly seem to occur on smaller scales very often. Viruses, worms, snarfed credentials, file loss through P2P. While this isn’t like a fire that destroys a building, IT security is more like lots of little fires that can pop up every week in various corners.
Likewise, what if it were profitable for people to set fires to your building? And they could set fires without being physically present? And have little chance of being caught unless the fire gets way too big? I think we’d see lots of fires and fire insurance would have some pretty deep questions to start asking itself.
When a fire occurs, there are professionals trained to examine and determine fire causes. These causes, with extremely exotic exceptions, should be fairly finite and predictable based on the operations that take place in that building. Negligence can be supported with building specifications, local and federal laws and standards, and inspections based on specifics. IT is far more wide in the spectrum of choices, tools, implementations, and so on. There are best practices for things like a Windows shop, but relatively few people know them fully or pursue certs that would help solidify them.
Maybe cyberinsurance will be a way to show compliance? For instance, you do measures X, Y, Z, and part of G, and you won’t have to pay all that much more in premiums. Of course, how much do those measures cost compared to the savings? Taking this a step further, how is this very different from the much-maligned “HackerSafe” logo on websites? As an industry (and the media, and thus average people, and thus culture), we’re very intolerant of single failures. This might be because single failures can affect millions of people in ways we probably don’t even know about yet. Or it might be because it’s all so very dramatic yet… Laptop theft has existing since there have been laptops, but it seems like more now because of the disclosures requirements…
Insurance also seems to be something people buy to protect against things outside their control. Attackers and other digital shenanigans are maybe not so much seen as random or natural acts, but rather things we can control. Why buy cyberinsurance when that money can be spent on the IT/security infrastructure? We still have a lot of ways to become more secure, whereas insurance seems to me to be something you buy when you’re out of alternatives and need a safety net.
Cyberinsurance sure sounds good, but I wonder if our current state is going to upheave such an insurance model in the same fashion that technology is unheaving our idea of copyright and privacy.
Anyway, just some thoughts for me for the future, nothing solid or much that I’d back in a challenging discussion, yet. 🙂