Dealing With the Carcinization of Security


Recently, a friend brought up the term “carcinization” and I must admit, I had to look it up! Turns out the term was coined more than 100 years ago to describe the phenomenon of crustaceans evolving into crab-shaped forms. Today, there are even memes for it. So, what does this example of convergent evolution have to do with security? It’s an apt description of how the security industry has evolved and why security leaders often struggle to determine the right security investments for their organization.

The security industry started out with a series of point products to solve very specific challenges. Organizations used endpoint antivirus, firewalls, IPS/IDS, and routers to protect themselves. Email and web security tools were soon added, along with SIEMs and other tools like ticketing systems, log management repositories and case management systems to house internal threat and event data. Endpoint detection and response (EDR) tools then came into the mix and a few years later served as the jumping off point for the next phase in the industry’s evolution. That’s when the traditional walls between endpoint and network security technologies began to crumble and product categories were no longer clearly defined.

Everything starts to look alike

When the concept of extended detection and response (XDR) was introduced a couple of years ago, industry analysts each seemed to have slightly different, but colliding, definitions of it. Some said XDR is EDR+ (with different opinions as to what the + consisted of) while others said XDR isn’t a solution at all, but an approach or an architecture. Those conversations continue today.

Now the industry is talking about threat detection, investigation and response (TDIR) platforms and depending on who you ask about the difference with XDR, you’ll get a different answer. Some say XDR is an overarching architecture and TDIR is the platform that integrates all the capabilities required for XDR. Others say TDIR is a process. And another contingent says they are one and the same.

The varied viewpoints as related security concepts take on similar traits create substantial confusion among security teams trying to evaluate and purchase security technologies to strengthen their organization’s security posture. At a time when the market should be maturing and moving security to a better place, these discrepancies prevent that from happening.

Use cases, not labels
So, how can security teams cut through the noise and confusion? In the carcinization of security, where everything starts to look and sound alike, it’s critical to focus first on use cases. To do this, start with what you are trying to accomplish, the associated workflows, and the people, processes, and technology required. From there, you can look at where the gaps exist and where to invest to achieve your goals.

Sometimes you may need a specific technology for a specific use case. Or, ideally, you find a platform that can handle multiple use cases security professionals are focused on today as security operations centers (SOCs) mature. These include spear phishing, threat hunting, alert triage, vulnerability prioritization and incident response.

For each of these use cases, context is critical to understand the who, what, where, when, why and how of an attack. With a security operations platform that can aggregate and correlate internal threat and event data with external data on indicators, adversaries and their methods, you can analyze multisource data and understand relevance to your environment based on parameters you set. Once you have the right data and context, you can pivot around a specific piece of data to understand and act. You can parse and analyze spear phish emails for prevention and response, prioritize alerts for triage, identify vulnerabilities to patch first, and accelerate threat hunting. Integration with the right tools allows you to send data back out across your defense grid to accelerate incident response, including blocking threats, updating policies and arming the organization against the next wave of attacks.

The truth is, the walls established to separate product categories should have been challenged sooner for the benefit of security. Organizations considering the latest acronym or spurred by the latest attack may have selected a different, more effective tool or platform depending on their goals, internal resources and capabilities. When everything starts to look like a crab and walk like a crab, we can’t rely on labels. We need to look at use cases, desired outcomes and the best path to get us there.

The post Dealing With the Carcinization of Security appeared first on SecurityWeek.

Cyber Insights 2023: Cyberinsurance


About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

SecurityWeek Cyber Insights 2023 | Cyberinsurance – Cyberinsurance emerged into the mainstream in 2020. In 2021 it found its sums were wrong over ransomware and it had to increase premiums dramatically. In 2022, Russia invaded Ukraine with the potential for more serious and more costly global nation state cyberattacks – and Lloyds of London announced a stronger and more clear war exclusions clause. 

Higher premiums and wider exclusions are the primary methods for insurance to balance its books – and it is already having to use both. The question for 2023 and beyond is whether the cyberinsurance industry can make a profit without destroying its market. But one thing is certain: a mainstream, funds rich business like insurance will not easily relinquish a market from which it can profit.

It has a third tool, which has not yet been fully unleashed: prerequisites for cover.

The Lloyd’s war exclusion clause and other difficulties

The Lloyd’s exclusion clause dates to the NotPetya incident of 2017. In some cases, insurers refused to pay out on related claims. Josephine Wolff, an associate professor of cybersecurity policy at Fletcher, Tufts, has written a history of cyberinsurance titled Cyberinsurance Policy: Rethinking Risk in an Age of Ransomware, Computer Fraud, Data Breaches, and Cyberattacks

“Merck and Mondelez, sued their insurers for denying claims related to the attack on the grounds that it was excluded from coverage as a hostile or warlike action because it was perpetrated by a national government,” she explains. However, an initial ruling in late 2021, unsealed in January 2022, indicated that if insurers wanted to exclude state-sponsored attacks from their coverage they must write exclusions stating that explicitly, rather than relying on boilerplate war exclusions. Merck was granted summary judgment on its claim for $1.4 billion.

The Russia/Ukraine kinetic war has caused a massively increased expectation of nation state-inspired cyberattacks against Europe, the US, NATO, and other west-leaning nations. Lloyds rapidly responded with an expanded, but cyberinsurance-centric, war exclusion clause excluding state-sponsored cyberattacks that will kick in from March 2023. 

But “who gets to decide whether an attack is state-sponsored?” asks Wolff. “And what does it even mean for the attack to be state sponsored: that it was perpetrated by government employees? Or paid for by a government? Or even just tacitly permitted by a government? And state-sponsored cyberattacks are not rare occurrences – an exclusion for them is very different from a war exclusion that deals with a fairly well-specified and infrequent event.”

She is not alone with such concerns. “The issue here lies in the murky waters of attribution” explains Chris Denbigh-White, cybersecurity strategist at Next DLP. “Was the attack ‘state-conducted?’ Was it ‘state sponsored?’ Was it ‘state inspired?’ or was it simply a criminal organization piggybacking an existing conflict for financial gain?”

“Looking ahead,” continued Wolff, “I think insurers and their policyholders are going to find themselves mired in a lot of fights about attribution and how to define what makes a cyberattack state-sponsored or catastrophic or uninsurable.” Two things are certain: security defenders will have increased questions over the cost/return value of cyberinsurance, while insurers will be seeking new ways to ensure their market doesn’t disappear.

The insurers have one major advantage: insurance has been a staple part of business for centuries, and business leaders don’t seem inclined to exclude it from security. Joseph Carson, chief security scientist and advisory CISO at Delinea, notes that his own firm’s survey reveals 33% of IT decision makers applied for cyberinsurance due to a requirement from their board and executive management.

He also notes that 80% had subsequently called upon that insurance with more than half doing so more than once. “As a result of more cyber insurance policies being introduced, and ultimately many businesses needing to use them,” he comments, “the cost of cyber insurance is continuing to rise at alarming rates. I expect to see this continue in 2023.”

Jerry Caponera
Jerry Caponera

The insured’s concern over a falling return on investment is not the only worry for the insurers – whether we are in a defined recession or not, the world is certainly suffering an economic downturn. This is already having affecting security budgets. “Companies spent massively during the pandemic, and now that the economy has cooled, spending will go back to 2019/2020 levels,” explains Jerry Caponera, GM at ThreatConnect.

“A very likely outcome of this,” he continued, “is that more companies will fall below the cybersecurity poverty line (CPL). With inflation currently [at the time of writing] over 8% – measuring 4x higher than the central bank’s target rate of 2% – companies who hadn’t planned for increased costs will find themselves with less money to spend on cyber, thus falling further below the CPL and finding themselves facing the hard decision on where to spend their next investment dollar.” 

Firms will increasingly need to choose between cybersecurity mitigations or cyberinsurance – and neither of these options on their own will benefit the insurance industry.

Insurers’ response

2023 is a watershed moment for cyberinsurance. It will not abandon what promises to be a massive market – but clearly it cannot continue with its makeshift approach of simply increasing both premiums and exclusions to balance the books indefinitely.

One option would be to become more granular in the cover it offers. Instead of a single cybersecurity policy with a long list of exclusions, it could offer coverage in specific areas only. This would allow coverage to be more tightly defined with fewer if any exclusions. Further, suggests Chris Gray, AVP of security strategy at Deepwatch, it would “allow basic risk management into services while providing the ability to charge increased premiums for more upscale/impactful attacks.”

This approach is not without precedent in other industries. The Food Liability Insurance Program (FLIP) provides Insurance designed for small food businesses with gross annual receipts under $500,000. The Forward Contract Insurance Protection (FCIP) plan is a supplemental insurance that provides an indemnity for farmers unable to deliver contracted volumes.

“Government intervention in the form of sanction insurance programs – a la TRIP, FLIP, FCIP, etcetera – is likely to evolve, with a significant discussion regarding coverage areas and their impact on national security,” suggests Gray.

One of the strongest likelihoods over the coming years, however, is the growth of cybersecurity requirement impositions; that is, insurers will decline coverage unless the insured conforms to a specified security posture. This is the final option – when you can no longer increase premiums and exclusions, you have to reduce claims. And this is best achieved by helping industry prevent cyber incidents.

It may still not be enough. Chris Denbigh-White, cybersecurity strategist at Next DLP, argues, “The notion of ‘insuring away cyber risk’ will become (and arguably always was) somewhat unrealistic.  Insurance premiums, prerequisites and policy exclusions will no doubt continue to increase in 2023 which will have the effect of narrowing the actual scope of what is really covered as well as increasing the overall cost.”

Nevertheless, the expansion of ‘prerequisites’ would be a major – and probably inevitable – evolution in the development of cyberinsurance. Cyberinsurance began as a relatively simple gap-filler. The industry recognized that standard business insurance didn’t explicitly cover against cyber risks, and cyberinsurance evolved to fill that gap. In the beginning, there was no intention to impose cybersecurity conditions on the insured, beyond perhaps a few non-specific basics such as having MFA installed.

But now, comments Scott Sutherland, VP of research at NetSPI, “Insurance company security testing standards will evolve.” It’s been done before, and PCIDSS is the classic example. The payment card industry, explains Sutherland, “observed the personal/business risk associated with insufficient security controls and the key stakeholders combined forces to build policies, standards, and testing procedures that could help reduce that risk in a manageable way for their respective industries.”

He continued, “My guess and hope for 2023, is that the major cyber insurance companies start talking about developing a unified standard for qualifying for cyber insurance. Hopefully, that will bring more qualified security testers into that market which can help drive down the price of assessments and reduce the guesswork/risk being taken on by the cyber insurance companies. While there are undoubtedly more cyber insurance companies than card brands, I think it would work in the best interest of the major players to start serious discussions around the issue and potential solutions.”

Bob Ackerman
Bob Ackerman

Bob Ackerman, MD and founder of AllegisCyber, agrees with Sutherland about the way forward for cyberinsurance, but is damning about its progress so far. “Unfortunately, insurers have struggled to take advantage of the opportunity, writing policies with numerous exclusions, high deductibles, and low coverage caps, and showing massive losses in the process. The market opportunity will require insurers to become proactive in defining performance thresholds in order to be ‘insurable’.”

He believes a PCIDSS-style model could be the solution. “By setting standards and measuring related performance, insurers can help define ‘cyber secure’ and build a profitable book of business in the process.”

Mark Lance, VP of DFIR and threat intelligence at GuidePoint Security, even suggests what it might look like. “We’ll continue to see an expansion from traditional questionnaires to actual validation, which will not only include a baseline of standard security solutions (EDR, PAM, MFA), their associated and current configurations (ASM) but also the presence of standard policies (IR Plans, Playbooks), and execution capabilities (Proof of User Awareness Training and Tabletop validation).”

Mike McLellan, director of intelligence at Secureworks, adds, “The requirements on organizations wishing to obtain cyber insurance will become more and more stringent, and organizations that are unable or unwilling to comply will find coverage is declined.”

Whether a PCIDSS style cyberinsurance standard can work is a separate question. While PCIDSS is a well-respected security standard, it has not eliminated the criminal theft of payment card details. GDPR has not eliminated the theft of PII. Put simply, successful cyberattacks cannot be eliminated by cybersecurity tools.

But to even reach the stage of a defined cyberinsurance standard, the insurance industry will either have to get into bed with existing security vendors or become a cybersecurity company itself. The former is worrying – depending on the closeness of the relationship and the degree to which the vendor seeks to satisfy the insurance industry rather than its own customers – while the latter is doomed to failure. The more mature security vendors have been working for more than two decades on eliminating cyber threats with varying but ultimately little success.

Whether or not a full cyberinsurance security standard emerges, there will be increasing cooperation if not collaboration between insurers and security vendors in 2023. “The borderless nature of networks, coupled with a threat landscape that is less predictable, necessitates the need for true risk quantification of companies’ security controls now more than ever. With that, I expect to see more investment into quantifying cyber risk. This will drive better collaboration and data sharing between security companies,” explains Jason Rebholz, CISO at Corvus Insurance. “Cyber insurance carriers will lean into partnerships with technology companies to fuse security data with insurance and risk modeling insights. The net result is more accurate risk quantification, which will in turn help keep policyholders safer.”

There is no silver bullet for cybersecurity. Breaches will continue and will continue to rise in cost and severity – and the insurance industry will continue to balance its books through increasing premiums, exclusions, and insurance refusals. The best that can be hoped for from insurers increasing security requirements is that, as Norman Kromberg, MD at NetSPI suggests, “Cyber Insurance will become a leading driver for investment in security and IT controls.”

An interesting comment comes from Jennifer Mulvihill, business development head of cyberinsurance and legal at BlueVoyant: “The underwriting process and the completion of an underwriting application are excellent ways to self-assess and consider the protection of assets from a cyber perspective. The information gleaned from these exercises is valuable information, not only for the CISO, but for the Board and CFO, and augments financial investments and regulatory compliance.” Insurers could charge for the right to apply for insurance, but if a prospective customer must pay, that customer could simply pay a cybersecurity consultant for the same service and ignore insurance altogether.


It is unlikely that the insurance industry will be able to balance its books through raising premiums and reducing payouts through increasing exclusions, nor yet eliminate claims through a required cybersecurity standard. The threats are too varied and too extreme.

“Obtaining or maintaining a policy is a challenge at scale,” comments Corey O’Connor, director of products at DoControl. “The bigger your business grows, the more challenging it will be to meet these requirements. More and more organizations were being dropped by providers throughout the last year, and going into 2023 there will likely be a trend of organizations being unable to receive coverage.”

 It may be that government will be dragged into the equation. “I think there’s going to be pressure on governments to clarify under what circumstances they’ll provide some sort of backstop for coverage of catastrophic cyberattacks, pressure on insurers to not exclude too many types of attacks, and pressure on policyholders to challenge these exclusions in court if their claims are denied,” suggests Josephine Wolff. “Rising premiums don’t seem to have deterred businesses from buying cyberinsurance, so I don’t know that these new types of exclusions will either, but I wonder how well they’ll hold up in the face of a major cyberattack.”

“Will Cyber insurance become an expensive ‘tick in a box’ or will it deliver real value?” asks Denbigh-White. “Will it even remain a viable offering from insurance companies in 2023? While carrying cyber insurance is rapidly becoming a ‘security prerequisite’ for many organizations, its benefit in relation to cost and cover remain uncertain as we move into 2023.”

But “Rule no.1,” warns Mark Warren, product specialist at Osirium. “Insurance always wins!” Insurance will get more expensive, more difficult to get, and less likely to pay out. “As a result, more organizations may decide not to take out insurance at all, instead focusing on ploughing resources into protection. If this happens, we can expect to see insurance companies partnering with big consulting firms to offer joined up services.”

He fears that buying cyberinsurance may simply become a cost of doing business. “Pointless it may be, if insurers are never going to pay out… but buying cyber insurance may simply become a necessary cost of doing business – a box that must be ticked to demonstrate to shareholders that all steps are being taken to protect the business and ensure resilience and continuity.”

Related: The Case for Cyber Insurance

Related: The Wild West of the Nascent Cyber Insurance Industry

Related: Cyber Insurance Firm Coalition Raises $250 Million at $5 Billion Valuation

Related: Cyber Insurance Firm Cowbell Raises $100 Million

About SecurityWeek Cyber Insights | At the end of 2022, SecurityWeek liaised with more than 300 cybersecurity experts from over 100 different organizations to gain insight into the security issues of today – and how these issues might evolve during 2023 and beyond. The result is more than a dozen features on subjects ranging from AI, quantum encryption, and attack surface management to venture capital, regulations, and criminal gangs.

Cyber Insights | 2023

The post Cyber Insights 2023: Cyberinsurance appeared first on SecurityWeek.

Why CISOs Make Great Board Members


As I discussed previously, the past three years created a perfect storm situation with lasting consequences for how we think about cybersecurity: 

  • Digital transformation accelerated significantly. Projects took off due to the pandemic and remote everything—work, manufacturing, healthcare, you name it—became imperative for business survival.
  • Ransomware went for the jugular. Critical infrastructure organizations had to navigate an escalating threat landscape, especially a surge in ransomware attacks as threat actors understood that the value of operational technology (OT) networks and the availability of crypto payment infrastructure improved their chances for pay-outs. 
  • Cybersecurity became critical to business. Under siege, businesses prioritized building resilience for which cybersecurity is essential and, when done well, can drive competitive advantage. 

The impact of this perfect storm on boardroom conversations has been that cybersecurity technologies and teams have shifted from being viewed as a cost center to a business enabler. The shift is so crucial to business outcomes that Gartner expects that by 2025, 70% of CEOs will mandate a culture of resilience and recommends risk leaders recognize resilience as a strategic imperative to survive a confluence of threats. The mission is no longer just to protect, but to build trust that the business can operate even under strenuous conditions and to accelerate innovation within business units. That is very different from how security teams operated for the last two decades.

Businesses that invest in cybersecurity as a competitive advantage are transforming their business models. Every company is or will become a technology company, and those doing it faster are winning. Accenture refers to companies that have doubled down on technology and innovation as “leap froggers”, growing five times faster than laggards in the past three years.

Geopolitics contributes to this storm and need for board change

Geopolitical conflict has raised the stakes even further and is here to stay, whether in its aggressive form of the Ukraine conflict or more subtle, as in the competition between the U.S. and China. That means companies that are a meaningful part of the economy of their countries, or that hold strategic importance because of the sector they operate in, will find themselves increasingly as targets in those conflicts. 

In addition to needing to significantly increase their collective understanding of technology innovation risk and objectives, CEOs and board members need to understand how the current geopolitical situation could be affecting the organization’s risk posture, adversaries’ motivations, and how best to dedicate resources. 

Many CEOs and board members are finding it exceedingly complex in this current climate to accurately identify, much less reduce risk, which is why shifting the makeup of boards is needed. A vast majority of board members are former CEOs and CFOs, with most new directors still coming from those backgrounds (26% and 23%, respectively). The good news is that 17% of new directors now come from the technology sector which is beginning to fill the hands-on experience gap of navigating technology-led businesses.

CISOs as board members 

One natural solution to infuse more technology and security expertise on boards is to recruit CISOs and CIOs for those positions. While just a few years ago that was mostly unthinkable, today an increasing number of boards are seeking out those experts, even if it means attracting board members with no prior board experience. That in itself is helping break another unfortunate aspect of boards: a lack of diversity and infusion of fresh perspectives and experience to handle emerging oversight challenges such as digital transformation and cyber and operational resilience. While we aren’t where we need to be, progress is happening and now 14% of CISOs say they sit on a corporate board or both a board and an advisory committee.

Even as first-timers, successful CISOs make for successful board members. In the last few years, the best CISOs have pushed their organizations outside of their comfort zones, resulting in high-ROI projects that contribute significantly toward the digital transformation of the organization. The spirit of this relentless pursuit to transform is highly impactful at the board level, and the practical knowledge those CISOs bring is very valuable. 

Another encouraging trend, Gartner predicts that by 2025, 40% of companies will have a dedicated cybersecurity committee. Who is better suited than a CISO to lead that conversation? Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. CISOs can provide advice on moving forward with digital change initiatives and help companies prepare for the future. They can explain the organization’s risk posture, including exposure related to geopolitical conflict as well as to new business initiatives and emerging threats, and what can be done to mitigate risk.

Lastly, the role of the CISO has evolved from being a risk metrics presenter to a translator of risk to the business. Therefore, the expertise CISOs have developed in recent years in how to explain risk to the board makes them valuable contributors to these conversations. They can elevate the discussion to ensure deep understanding of the tradeoffs between growth and risk, enable more informed decision-making, and serve as guardrails for total business alignment.

The future belongs to the companies who are fastest and boldest in their adoption of technology as a competitive advantage. To best protect this future, we need technology and cybersecurity leaders on boards who understand and can translate the risk side of equations into successful business outcomes. 

The post Why CISOs Make Great Board Members appeared first on SecurityWeek.