The Future Of Cyber Risk And Bringing ROI To Security

President and CEO of Secure Systems Innovation Corporation (SSIC), John Frazzini, joined episode #92 of Task Force 7 Radio this week to talk with Guest Host Andy Bonillo, VP & CISO of Ciena. Frazzini discussed a recent SSIC announcement that will affect the way cyber risk is measured into the foreseeable future. He explained how the insurance industry is set to disrupt the cyber security industry as well as his company's efforts to understand the effectiveness of cyber security controls, including how a company can accurately measure their return on investment.

Frazzini also talked about how he sees businesses managing cyber risk in the future, the various models and approaches that seek to understand cyber risk in financial terms, and if it is now possible to understand the impacts of cyber incidents before they happen. Frazzini wrapped up by explaining how companies will have to adjust their strategies to become more effective in managing and mitigating cyber risk to their environments.

The Most Significant Change In Cyber Security

Bonillo dove right into the show by asking Frazzini about what he’s seeing as the most significant change in cyber security right now. From a macro perspective, Frazzini said he’s looking at that the concepts of how cyber security effectiveness is being measured, and how organizations over time keep talking about how to bring ROI to cyber security.

“We've been talking about that in this industry forever since I've been in it, approximately 20 years,” he said. In other words, how do you achieve an effective security program that maps to financial relevance? So we all know that cyber security ROI has been relatively elusive.

See Related: “The Economic Side Of Cyber Security Risk Management”

“One of the biggest changes that I'm seeing and kind of a transformation that's taking place is how the insurance industry is starting to construct the modeling that can make sense of the cyber security environment in financial terms, in order to help organizations understand how they could be financially impacted with various cyber incidents. So the most significant thing that I see that's happening — and this is just in the last few years — is how the insurance industry is starting to inform the financial analysis that could lead to effective cyber security decision making,” Frazzini said.

“Being able to articulate the work that you're doing, why you want to do it, and how it's going to impact the business,” added Bonillo. “We always say that in cyber security, ‘Oh, we don't talk about making sure we're aligned to the business, we're in to protect the business.’ But we don't speak in business terms, which is really ROI, which is really dollars and cents.” So, Bonillo then asked about how businesses will be managing risks in the future.

According to Frazzini, in the future cyber security will be centered around financial analysis. It'll be forming unexpected loss understanding from a financial perspective as to how various cyber risk issues affect your business. “So over the course of the last 20 years, the cyber security industry has been created and exists today. And it's almost been an arms race, where technology has been stacked on top of technology, and it goes through various, what I call hype cycles. So it's as the problem became prominent as digitization became the reality of business today, the challenges were always, what do we do about the risk? What do we do about the security threats that exist? And so what you saw is a lot of blocking and tackling a lot of technology development that was leading the business around,” Frazzini explained.

He continued, “And in order to stop bad things from happening, you need to deploy better technology. But there was never really a correlation on as to whether or not that better security technology was actually relevant to the business, other than you're just trying to put Band-Aids on top of problems that digitization brought forward. And so I think the future state, like in all other areas of risk management, the ability to deconstruct how technical bad things happen from a security perspective, inform the expected loss or the financial impact of an organization is the future, like in the not too distant future. I think it'll be thought of as unheard of that organizations are not managing cyber risk from a financial analytics perspective. That will be driving the intersection between the technical and the business, and I think that's where the future resides.”

So how can companies prepare for this shift? Frazzini and Bonillo offer this advice:  

Executives should understand that they need to find a way to link what they’re doing technically from a security strategy perspective to the business. There’s an opportunity to evolve from technical thinking to strategic business thinking in the area of security. It doesn't just help frame your board deck, it's going to help frame your conversation top-down and really start to change how cyber practitioners view their role going forward, not just from a tactical, but to a strategic, to a business executive mindset.

See Related: “Enterprise Cyber Security And The Role Of The C-Suite”

Understanding Cyber Risk In Financial Terms

There has been a lot of work put into trying to formulate how to convert the technical information that's collected through a security program and have it makes sense from an economic perspective. Frazzini explained that we, as members of society, rely on the insurance industry to formulate underwriting standards. That's the backdrop of what we do everyday just as members of our community, you buy car insurance, you buy home insurance. Both of those industries have been stabilized through the insurance products that have been built around them.

So cars are safer today because of insurance underwriting. The ability for insurers to understand financial impact of auto accidents informs better safety. Insurance underwriting that understands expected loss related to damages within your house leads to safer living, safer housing, safer building. If you extrapolate that out into the business community, it helps with building big skyscrapers. There's a lot of technical things that can happen that you can deploy to build a car, or a house, or a big skyscraper. So you can engineer a lot of things, but if you don't filter it through how bad things can happen from a financial perspective, then it's hard to understand how to best move forward.

“So I think the future in modeling and the future of how the cybersecurity in issue is going to stabilize within the business community is by having the underwriting standards that come through provide that directional guidance to companies to find ways to reduce, suppress, or transfer financial exposure related to cyber incidents,” Frazzini said.

So if you think about where the future goes from a modeling perspective, modeling in a vacuum doesn't really help anybody, but modeling related to an insurance application does because the insurance industry has everything to lose, Frazzini explained. “They're the ones that are placing the real bets, which is they're accepting the risk onto their books. And so I think the future in modeling is going to come through the insurance industry like you see in all other aspects of how risk is managed in our personal lives as well as our business lives.”

Breakthrough In Cyber Security Risk

Frazzini revealed the big breakthrough in cyber risk, which is that the insurance industry is starting to understand now how cyber incidents direct in the technical environments that produce the impact from a technical perspective correlates to the financial exposure. So the insurance industry has been evolving at very rapid pace. And what they're doing in the background is they're starting to figure out very succinctly how technical bad things happen within an organization, and what the corresponding financial exposure would look like should bad things happen.

They are building the underwriting mechanisms; they are building the expected financial loss analysis that's guiding the product decision of cyber insurance. “And I think that's going to have a significant impact on the cyber security industry, and it's going to bring a lot more clarity and confidence with business executives to operate in today's digital world,” according to Frazzini. “Because right now, the uncertainty is an impediment to moving business forward. The insurance industry as it builds stability in the cyber risk domain is going to unlock opportunities in the businesses that do it right and do it smart are going to have an advantage.”

Bonillo added, “So when you underwrite insurance, a lot of the times it's subjective. And even when you're doing third-party risk and vendor manager, you have to rely a lot of times on what they tell you. Where do you see the future of transitioning from subjective to objective data that get really more quantifiable, validated data into this process?”

Frazzini answered that it’s happening right now. Historically, he explained that cyber security decision-making was being made based on the subjective subject matter “experts” offering their technical opinions as to what a business should do. So what you're seeing happening in the insurance industry is exactly what Bonillo is alluding to. The insurance industry is not looking to make subjective bets. The insurance industry does not exist to apply guesswork, which a lot of cyber modeling has been to date, just put your finger in the air and just guess. The insurance industry deals with very significant things like Actuarial Science, where they actually are regulated to model objective information and use modeling that takes into account an objective approach. And so you can't just put your finger in the air and then just place an insurance bet. There are regulatory impediments to doing that.

“But more importantly, insurance companies aren't going to make huge bets if they don't understand what the risk is that they're underwriting. And so what you're seeing is a significant shift from the subjective to the objective. And there's various pockets of excellence that are taking place in the marketplace today where you're seeing the convergence of the objective data that exists to the objective modeling that's available in order to unlock capacity in the insurance markets. And so as that happens, that's also going to have an associated effect in how cybersecurity strategy is implemented from my perspective,” said Frazzini.

Cyber Insurance Market Today And Tomorrow

Frazzini then went into the cyber insurance market view, which some still say is too small to make a difference. However, he said that there is a today view and then there’s a tomorrow view. Today, the cyber insurance marketplace doesn't have enough capacity to absorb the financial loss associated with what could take place related to cyber incidents around the world. So the cyber insurance industry is not making a dent just yet.

“Well, what I will tell you is the insurance industry sees this as a once in 100-year opportunity for themselves to grow into a new insurance product line, doesn't come very often in insurance. There's only so many times and you can invent home insurance, or you can invent auto insurance. So the insurance industry is old, it's been around forever. It is currently growing at some estimates at three to five times the broader insurance market. So the cyber opportunity for insurers is, from their perspective, explosive,” Frazzini said.

So it is true that today the cyber insurance industry is not equipped to absorb the totality of financial exposure that exists in the marketplace. “There is no doubt. It's in its infancy. However, the tomorrow view is when the insurance industry starts getting it right, when they start building these underwriting metrics in order to increase capacity, you're going to start seeing an explosion of availability of cyber insurance coverage that didn't exist before, and that is going to be the inflection point of change, I believe,” he added.

Frazzini offered an example of a major insurance company, whose global head of cyber insurance told him, just a few months ago, that typically they would not insure any particular policy in any company, regardless of size, shape, or what have you for more than $10 million for cyber.

Now, if you're a Fortune 100 company, buying $10 million of cyber insurance is a rounding error to you. If you're Bank of America, said Frazzini, it doesn't matter to even have the insurance. “I was just told that they are now placing up to $70 million of coverage. So it's going from... and this is a direct result of more precise and capable underwriting metrics. And so we're watching just within the last year the ignition point of change, where you're going to go from offering 10 to 70 million to, let's say, $100 million. It's inconceivable today to think that an insurance carrier will take on $1 billion of cyber exposure in the marketplace. It's inconceivable today. But as the underwriting metrics become more prominent and more deployed, I think you're going to see an explosion and how the cyber insurance marketplace can start absorbing more capacity, and then that will have a natural pull-through effect as to how companies manage cyber risk.”

In order to keep up with cyber, the insurance companies are changing the way that they do business. But the point is they are starting to form this base understanding of how to underwrite the cyber exposure, and they are building them the ability to do so. For example, with auto insurance, we all pay different rates. There are a lot of reasons why we pay different rates. Some people are inherently not insurable because the companies don't want to take on the worst drivers. You have three DUIs, or you've been in seven accidents, it's likely it's going to be very hard for you to get auto insurance.

What's happening in the cyber insurance market is the insurance companies are starting to form an understanding of who or where the safe risk is, and where are the most ‘risky risk’ is. So if you're a company who looks to be a high risk for cyber threats because you don't have your security strategy mapped to your financial impact, if you're not able to operate your business in a safe manner based on how they understand it, you may not be able to transfer your risk. And the companies that do it well will be able to transfer the most risk off their books into an insurance company, giving them a significant competitive advantage into the future. “And that's going to have a significant impact not just in terms of who's a safe insurance bet, but who's the most competitive businesses that can thrive into the future,” Frazzini said.

So what can information security executives do to make them a better insured risk? Frazzini encouraged anybody who's currently working in an executive leadership position in security to know who your insurance broker is, and understand how your company is seeking to transfer cyber risk associated with what you do, managing a security program. “In the future, it will be an absolute norm for security executives to have a full understanding of how their security programs impact risks transfer strategy within their companies. And if you don't have your fingers on that right now, it's probably an area you might want to spend some professional development around because that's where it's all going,” predicted Frazzini.

See Related: “How To Measure Cyber Risk On Your Digital Assets”

The ‘Task Force 7 Radio’ recap is a weekly feature on Cyber Security Hub. To listen to this and past episodes, click here.