Check out the highlights of an Infosec study conducted with the 451 Alliance, exploring the usage of cybersecurity insurance policies as a method of risk transfer for enterprise security programs:
Some leaders feel that if they spend the money on Cyber Insurance, they don't have to worry about spending money on protecting their infrastructure
I lived this personally. We bought cyber insurance, within 30 days we were with ransomware, cyber insurance got us out of a jam by paying for a third-party IRT -- and our untested backups actually worked the first time.
But in the "lessons learned" chapter of this story, the company began a new M&A cycle. And we bought a new phone system. But all we did to improve our cybersecurity posture was add Carbon Black. That's all.
I left, so if the underwriter ever demanded more from the enterprise, I'll never know what they required.
@JoePete wrote:It is a shame that insurance, which is supposed to bring some certainty when the unexpected happens, has itself become an unpredictable entity.
Oof, this statement hits home. Too real.
Thanks to my colleague Emily for posting what is evidently a thought-provoking piece of research. It's great to see such analytical investigation of a topic that poses questions with no right (or wrong) answers, at least for the moment.
If you're interested in climbing under the hood of security discussions like these, our 451 Alliance (an ISC2 partner) is a place where perspectives on such topics are routinely explored. The Alliance is a community of IT professionals like you who share insight on a range of IT subjects with their peers via our research. We anonymously survey and interview our members, then generate reports -- like the one Emily posted -- that are shared back with the entire membership.
If you'd like to share your voice, we'd love to have you aboard. Click below to register:
Thanks folks -- keep the discussion flowing!