By Keely Wilkins. Keely Wilkins is an Evangelist with the Office of the CTO as well as a Pre-Sales Security Engineer in Virginia. She has worked in the technology industry for nearly thirty years, holds an MS of Cybersecurity and a variety of certifications. Keely endeavors to find balance among transparency, predictability, and security.
In this article, Keely presents a path for meeting cyber insurance requirements via a prevention-first cyber security strategy. Her research shows that aligning with the NIST Framework, having an action plan for continuous improvement, and aiming to prevent attacks nets better security results than simply detecting threats alone. This article is part two of a three part series. Part one can be found here.
What is the relationship between legislation and insurance?
The relationship between legislation and insurance is multi-faceted as it encompasses elements of business, geo-political, financial, and nation-state activities. For the purpose of this article, the focus will be on the relationship among the NAIC Insurance Data Security Model Law, the NIST Framework, and US state-level legislation (one example).
The cyber insurance industry uses the NIST (National Institute of Standards and Technology) Framework as a benchmark to write insurance policies for organizations. The NIST Framework is produced and managed by the US Department of Commerce and has been vetted by technology and security experts. Some state-level legislation, as a result, mirrors the insurance model law. In other words, the insurance industry promotes security best practices so the legislation supports the insurance industry.
This relationship is a guide for:
- Security practitioners to help their organizations
- Vendors and MSSP partners to help customers
- The board of directors in protecting shareholder investments
I encourage readers to research how their state-level legislation aligns (or doesn’t) with the cyber insurance industry. The National Conference of State Legislatures site provides a search field to lookup proposed and passed legislation per state. Here is the link.
What other factors promote a prevention-first security strategy?
The NAIC 2022 "Report on the Cyber Insurance Market" was referenced in part one of this series to illustrate the financial challenges the insurance industry is facing with cyber insurance policies, and how those challenges have resulted in increased premiums and decreased coverage. From that report and other industry-specific sources, the top minimum security requirements were derived and shared.
The "Cost of a Data Breach 2022 Report" from IBM is used to demonstrate the costs per breach at the point of containment as well as long-tail costs that extend two-to-three years beyond the point of containment. Per the report, "In highly regulated industries, an average of 24% of data breach costs were accrued more than two years after the breach occurred". The highly regulated industries include healthcare, financial, energy, pharmaceutics, and education. The long tail costs for low regulated industries also continue to accrue, but at a different pace.
The average time to detect and contain a breach is 277 days, as per the IBM report. The starting point on the above chart is Day 1 of containment. The long-tail costs continue to accrue for another two years, at least. This impacts share price. Per CompariTech's "Data Breach Share Price Analysis" report, share price drops an average of 15.6% by year three post-breach, and the timeline accelerates when highly sensitive data is compromised during the breach.
What does a prevention-first security strategy entail?
The information published by the insurance industry, government entities, and security research gives us a base formula. Mapping the cost data from the IBM report to the NIST Framework, then aligning the result with the top minimum requirements stated by insurance sources brings us to the following.
- Zero Trust Architecture is touted as the next best thing, but ZTA has actually been around over a decade. ZTA is effective, as it underpins the objective of a prevention-first strategy. Areas of concentration for your ZTA include identity governance, endpoint, mobile, email and collaboration tools, remote access, cloud network, cloud workloads, cloud applications, cloud compliance, on-prem and virtual firewalls, IoT, ICS/Scada, and SD-WAN environments. A partial deployment of your ZTA is not sufficient.
- Business processes are often overlooked, as they do not sound as enticing as their technical counterparts do. Business processes include the business continuity plan, board level oversight, cyber insurance, crisis management, and compliance requirements.
- MSSP Services – Having certified security professionals in the right roles is paramount to the success of the security strategy. Security vendors, resellers, and/or third-party companies that focus solely on security services may provide these services. Among the services of the greatest value are Incident Response, XDR/XPR, and staff training.
- Training – Staff is the first line of defense against many threat vectors. Ensuring the whole staff has the training to identify threats and respond appropriate is key. Similarly, making sure trained security professionals are in the appropriate security roles helps to ensure success.
What is one example of cost savings through a prevention first security strategy?
The below graphic is from IBM's report. The left hand column lists items that produce a cost savings during a breach; the right hand column lists items that result in added costs during a breach. The figures presented are an average savings/cost per breach.
Using the first and last items as examples, it states that having an AI-based security platform saves an organization ~$300K per breach. Conversely, having complex security systems (multiple vendors, limited integration, poor logging, and limited log correlation) costs an organization ~$290K per breach. They nearly cancel each other out. Viewing the list as a whole, there is a cost savings of ~$4.2M per breach and added costs of ~$1.1M per breach. Clearly, there is room for improvement.
Has threat detection fallen out of favor?
I do not believe it was ever truly favored. It has been the only option available by many security vendors for a long time; it became the accepted methodology. Threat detection has a legitimate place in security, though the scope of its effectiveness is quite narpost. During a Proof-of-Concept (POC), we always configure the solution in detect-only mode. This is because it is a new tool that the engineers are not familiar with and, they will see events during the POC that they have likely never seen before. Threat detection is perfect for this type of scenario and for new installations or creating new policies where there is a learning component for the staff and the system. Once the impact and effectiveness is understood, there is a natural graduation away from detect-only mode and toward prevention mode. Prevention is security; security is the counterweight to insurance.
We, as a security community, need to graduate to a prevention-first strategy. Doing so decreases breaches, lowers immediate and long-tail costs associated with breaches, and helps to protect the value (share price) of our organizations.
For more insights from security expert Keely Wilkins, click here. For more prevention-first information, see this whitepaper. Lastly, to receive cutting-edge cyber security news, exclusive interviews, high-minded expert analyses and leading security resources, please sign up for the CyberTalk.org newsletter.
References:
https://scc.virginia.gov/pages/Cybersecurity
https://content.naic.org/cipr-topics/cybersecurity
https://content.naic.org/sites/default/files/inline-files/MDL-668.pdf