Lucky for me, Twitter was showing re-runs a few days ago and I saw a link to an article I missed last fall:
Why are cyber insurers incentivizing clients to invest in specific vendors?
It’s a quick and worthwhile read about a program called the “Cyber Catalyst” by insurance broker Marsh. The program maintains a roster of cyber security products and services endorsed by various cyber insurance providers. The criteria used to evaluate candidate products are as follows:
Participating insurers evaluated the solutions along six criteria:
- Reduction of cyber risk: demonstrated ability to address major enterprise cyber risk such as data breach, theft or corruption; business interruption; or cyber extortion.
- Key performance metrics: demonstrated ability to quantitatively measure and report on factors that reduce the frequency or severity of cyber events.
- Viability: client-use cases and successful implementation.
- Efficiency: demonstrated ability of users to successfully implement and govern the use of the product to reduce cyber risk.
- Flexibility: broad applicability to a range of companies/industries.
- Differentiation: distinguishing features and characteristics.
In a world full of security snake oil, an objective list like this is certainly helpful. I am, at least, a little concerned at selection bias creeping into the list. If mature organizations that manage security well tend to use a particular service, that service is possibly the unfair beneficiary of the good practices employed by the organizations that use those services.
But never mind that. I made a commitment to myself that I would stop being yet another poo tosser that simply flings dung at people who are trying to help advance the state of security, and instead actually offer constructive ideas.
The missing pieces are people and processes. These are hard to objectify, but it seems within the realm of possibility to create a similarly endorsed set of processes and even types of skills IT and security staff known to lead to good outcomes. I can already hear people lining up to explain who I am wrong, but hear me out: I can all but guarantee two things about the Cyber Catalyst list:
- Any given organization can achieve good security outcomes without using any of the Cyber Catalyst services
- Any given organization that does use the Cyber Catalyst service can have a bad outcome
Much comes down to how any given organization manages risk, operates IT, and so on. The Cyber Catalyst provides a data point for organizations looking to invest in some new security tool or service. It doesn’t guarantee success. The situation with people and processes is similar. Given an inventory of “endorsed processes”, organizations looking to, for example, replace it’s change management, vulnerability management, or threat hunting processes can contemplate using exemplars in the endorsed process list. There are many frameworks out there already, from COBIT to NIST to ISO27k, but my view is that those, at best, would serve as a framework to organize the endorsed processes, since they don’t themselves, provide substantial information on how to actually operationalize them.
People could be similar. It seems possible to, in rough terms, identify a set of skills that organizations that defend themselves successfully have on staff. If that becomes successful, and it is “open”, it could serve as a list of skills to develop for that individuals looking to enter or advance in the IT security field.