Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey

Transcription

1 Bridging the Insurance/InfoSec Gap: The SANS 2016 Cyber Insurance Survey Barbara Filkins, CISSP, GSEC, GLSC Senior SANS Analyst 2016 The SANS InsBtute

2 Why We Are Here.. Problem: 1. Cyber insurance is rapidly becoming de facto solubon for business faced with cyber risks and breaches. 2. Security and insurance communibes need to achieve a common ground related to security and insurability. Goal: Make cyber insurance an integral and highlyvalued part of a comprehensive informabon security program 2016 The SANS InsBtute 2

3 Study Methodology ObjecBve: QuanBfy exisbng gaps to idenbfy roadmap that can achieve that common ground Approach: Collaborated with Advisen Data CollecBon Using Three Matched Surveys: InfoSec (163) Brokers (128) Underwriters (66) 2016 The SANS InsBtute 3

4 Demographics (InfoSec) Respondents: 30% security analysts and administrators 29% security management of which 45% senior Top Five Industries: OrganizaBons: 59% medium-sized Workforce < 5,000 Worth $ M Financial services/banking/insurance 26.6% Government 15.8% High tech 13.7% EducaBon 6.9% Healthcare 6.9% Manufacturing 4.4% 2016 The SANS InsBtute 4

5 Demographics (Risk) Considered Realized (People = most risky) 2016 The SANS InsBtute 5

6 Demographics (Risk) Note: Increased use of insurance is used to transfer risk third-party vendors 2016 The SANS InsBtute 6

7 The Gaps Terminology: Common vocabulary around risk Assessment/Framework Common course of acbon and outcomes CommunicaPon Understanding across communibes Investment Aligning the dollars 2016 The SANS InsBtute 7

8 Gap One: Terminology To InfoSec: Risk is the possibility of suffering harm or loss Risk = threat x vulnerability To Insurance: Risk is uncertainty arising from the possible occurrence of given events Risk is a tool to gauge probability of events, both loss and gain AND security is not the only risk that Enterprise risk management must consider 2016 The SANS InsBtute 8

9 We Asked the Insurance Community Note: Only 19% of brokers and 30% of underwriters said there is a common language of cyber risk with the InfoSec community The SANS InsBtute 9

10 We Asked the InfoSec Community 2016 The SANS InsBtute 10

11 Gap One: Terminology What is Needed: Strive to achieve a common understanding of cyber risk and the language used to express key concepts among your InfoSec team, your corporate risk manager, your insurance broker and your cyber insurance underwriter. However, this is easier said than done. Hint: Look at seman.c interoperability in the healthcare industry 2016 The SANS InsBtute 11

12 Gap Two: Assessment/Framework Lack of a common course of acbon for assessing and acbng on risk Need standard acbons, pracbces, plans, and metrics that, ulbmately, lead to understanding costs related to cyber risk management 2016 The SANS InsBtute 12

13 Risk Assessment and Modeling Risk assessment is the process to: IdenBfy risks Determine (and hopefully quanbfy) impacts Risk modeling follow two basic approaches: Qualita.ve: Uses relabve scale to measure risk Quan.ta.ve: Assigns financial value to loss 2016 The SANS InsBtute 13

14 Risk Assessment and Modeling 2016 The SANS InsBtute 14

15 Frameworks Framework Blueprint to construct a security or risk program Security Frameworks: Address risk assessment and management as part of overall control structure Risk Frameworks Specific to risk, complement Security Framework Examples: HIPAA/OCTAVE, NIST SP & The SANS InsBtute 15

16 Assessment vs. Framework 2016 The SANS InsBtute 16

17 Gap Two: Assessment/Framework What is Needed: A common framework that supports understanding, realis.c modeling, and jus.fiable and affordable ac.ons. Note: A framework must address reasons for underwriter rejecbons.. Reason for Underwriter Rejection Response Percent Inadequate Cyber security testing procedures and audits 44.7% Inadequate processes to stay current on new releases and patches 40.4% Inadequate cyber incident response plan 38.3% Inadequate backup processes and recovery 34.0% Structure, size and configuration of network 31.9% Inadequate policies concerning the security of vendors and business partners 31.9% Quality of security software 25.5% Quality of employee training on security issues 23.4% Lack of adherence to a published security standard (e.g. ISO 27000) 17.0% Lack of CISO or similar role 14.9% Inadequate security score provided by 3rd party service 14.9% Other 14.9% Physical security of data center 8.5% 2016 The SANS InsBtute 17

18 Gap Three: CommunicaPon The more sophisbcated clients engage the CISO in the renewal process. Usually if the CISO is involved it indicates the client has a beser handle on cyber risk. - Advisen Broker Survey I am talking your language I think but are you understanding what I say? 2016 The SANS InsBtute 18

19 Who s Involved In Buying? Seeking help: 42% engage the CSO/CISO and internal security team 8% look to external consultants and security SME 22% use a combinabon of internal/external resources Yet.. The decision sbll rests with the C-suite Role Recommend Decide Executive management (CEO, CFO, COO, President, VP, AVP) 63.3% 50.0% Risk manager 36.7% 1.7% Board of Directors 33.3% 25.0% Legal (internal or external counsel) 30.0% 8.3% Senior security management (CSO, CISO, director) 30.0% 5.0% Compliance officer or auditor 23.3% 3.3% Senior technical management (CTO, CIO, director) 18.3% 1.7% 2016 The SANS InsBtute 19

20 Key CommunicaPon Gaps InformaPon Security & Enterprise Risk Management Risk manager = part of informabon security team CSO/CISO = part of cyber insurance evaluabon and purchase team InformaPon Security & the C-Suite Awareness: Is the BOD aware of the threats? EducaBon: Does the BOD understand the consequences of their technology decisions or change in business strategy? 2016 The SANS InsBtute 20

21 Gap Three: CommunicaPon What is Needed: A communicabons plan that educates and inform all involved stakeholders As a starbng point, address: Business decisions re: procuring coverage Subsequent impacts on established security operabons Alignment of informabon security with enterprise risk management 2016 The SANS InsBtute 21

22 Gap Four: Investment Here s where we really need to bridge the chasm The SANS InsBtute 22

23 The Haves vs. The Have-nots 2016 The SANS InsBtute 23

24 The Haves The SANS InsBtute 24

25 The Haves Coverage Elements 2016 The SANS InsBtute 25

26 Is Coverage Adequate? Security professional consider coverage: Somewhat adequate -- 41% Adequate or beser -- 48% Brokers and underwriters concur with this observabon Yet this observa4on may be flawed: 2016 The SANS InsBtute 26

27 How Do We Really Know? No quanbfiable definibon of adequate Over 70% have not recovered losses thru cyber insurance (experience) At least 40% have had to adjust to security profile to sabsfy insurance terms without proof that changes actually reduce cyber risk or make cyber insurance cost effecbve 2016 The SANS InsBtute 27

28 Gap Four: Investment What is Needed: Align underwribng criteria for cyber insurance with investment(s) to improve cyber security posture (business risk profile) Insurance: Problem: : UnderwriBng lacks transparency Need: Standard expectabons for coverage InfoSec: Problem: JusBficaBon for assigning resources and $$ Need: Understandable terms for coverage & costs to quanbfy business ROI 2016 The SANS InsBtute 28

29 In Summary.. Some Thoughts Establish governmental or regulatory policy to set a basic floor with flexible standards Allow the market to evolve, don t legislate what will be quickly outmoded. Keep the viewpoint broad, not narrow Focus on adaptable methods to close the exisbng gaps and conbnue to build on them 2016 The SANS InsBtute 29