Speaking of paying out, Rick Tracy, CSO and senior vice president at Telos Corporation, said cyber insurance needs to mature. “Cyber attacks have increased over the past few years and will only get worse. Because cyber is so new, relatively speaking, there isn’t a great deal of actuarial data to help insurance carriers underwrite cyber risk,” he said.
The aggregate effect of cyber risk and the financial liability it poses are concerns for the insurance industry. For example, as bad as the Target breach was, what if there had been multiple, similar breaches that occurred simultaneously? What impact would this have had on the insurance carriers providing cyber liability coverage to these companies?
“Moving forward, not only will it be important for insurance companies to better understand the risks facing individual clients, but they will need to view this data over their entire portfolios to understand aggregate risk and ensure they are not over extended,” he said.
He added, the good news is that the insurance industry is beginning to rely on the National Institute of Standards and Technology (NIST) Cyber Security Framework (CSF) to help standardize the view of cyber risk and ultimately manage aggregate, or portfolio, risk.
In the next year we are going to see a rebalancing of spending from traditional security solutions to data protection and recovery, said Paul Zeiter, president at Zerto. “While security spend protects the perimeter fence, there are simply too many cases of breaches getting past these defenses to not have a plan B in place.”
CIOs and CEOs are starting to recognize that millions of dollars in IT security investments, while critically important, are just not enough when a disaster such as a hack or ransomware breaks through the perimeter or a natural disaster like a hurricane floods their data center.
While security spend protects the perimeter fence, there are simply too many cases of breaches getting past these defenses to not have a plan B in place.
Paul Zeiter, president at Zerto
“In the wake of a disaster, companies quickly come to the realization that without the right investments in a disaster recovery solution, their businesses are exposed. To be proactive, companies need a plan and tools in place to recover from any disaster very quickly with as little revenue and end-user impact as possible. Even if an organization has implemented the best preventative security technology, disasters can and do still happen,” he said.
CloudPassage’s Sweet predicts DevOps teams will own security implementation (or, DevSecOps will gain traction).“History doesn’t repeat itself, but it rhymes. In this case, the rhyme is that the primary technology owners will also own security control implementation — even if they don’t operate it,” he said.
Sign up for Computerworld eNewsletters.