FEATURE

any delays and issues caused by the current global shortage of IPv4 addresses.
Some of your things may require access
from the Internet or from third parties
networks. Dont let a lack of routable IP
address space hamper your IoT implementation.
To prevent network teams from becoming overwhelmed as greater numbers of
more varied devices join the IoT, consideration should also be given to network
control and automation systems, which
can help tackle the inevitable increase in
time-consuming manual tasks such as IP
address management which are caused by
an exponential increase in the number of
devices on the network.
The Internet of Things represents
myriad new and exciting opportunities,
many of which are yet to be considered. But the IoT relies on networks,

using secure underlying networking

technologies deployed and managed by
network managers and administrators.
And although one third of respondents
(37%) believe concerns over IoT security
to be nothing more than hype, security
threats are the most potent threat to the
IoT reaching its full potential.

About the author

Cricket Liu is chief infrastructure officer at
Infoblox (www.infoblox.com) and serves as
a liaison between Infoblox and the DNS
community. In nearly 10 years at HP, he
ran hp.com, and helped found HPs Internet
consulting business. He later co-founded his
own Internet consulting and training company, Acme Byte & Wire. After its acquisition by Network Solutions and subsequent
merger with VeriSign, Liu became director
of DNS product management.

References
1. Forecast: The Internet of Things,
Worldwide, 2013. Gartner, 18 Nov
2013. Accessed Mar 2015. www.
gartner.com/doc/2625419/forecastInternet-things-worldwide-.
2. Greenberg, Andy. Watch this wireless hack pop a cars locks in minutes. Wired, 4 Aug 2014. Accessed
Mar 2015. www.wired.com/2014/08/
wireless-car-hack/.
3. Miessler, Daniel. HP Study Reveals
70% of Internet of Things Devices
Vulnerable to Attack. HP, 29 Jul
2014. Accessed Mar 2015. http://
h30499.www3.hp.com/t5/FortifyApplication-Security/HP-StudyReveals-70-Percent-of-Internet-ofThings-Devices/ba-p/6556284#.UMHFVZrz62d.

Could taking out cybersecurity insurance help you

get a seat on the board?

Cath Everett

Cath Everett, freelance journalist

Information security professionals have been bemoaning their lack of representation at board level for some time. In an age where the volume and sophistication of cyber-threats is rocketing, not least due to the emergence of the Internet
of Things, which, it seems, is destined to assign everything, including the
clothes you stand up in, an IP address, infosec really must be taken more
seriously, so the argument goes.
And what better way to do that than
have the function represented at the top
table? Such a position would make all
the difference in the world as the peoplewho-know would be involved in strategic decision-making from the ground
up rather than just being consulted as
a belated afterthought. But apart from
one or two exceptions in sectors such as
banking or critical national infrastruc16

Computer Fraud & Security

ture, this situation simply isnt happening, mainly because professionals are
regarded primarily as techies.
According to a 2014 survey undertaken on behalf of malware protection
software vendor, ThreatTrack Security,
just over two-thirds of the 203 C-level
executives questioned felt that their chief
information security officer (CISO) colleagues failed to have a sound grasp of

business requirements and objectives.1

About the same number believed that
they would not be up to the job if they
assumed another leadership role outside
of the information security function. But
a worrying 28% also pointed out that
the actions of their CISO had actually
had a negative impact on the financial
health of the organisation due to things
like lost business, drops in productivity,
falling service levels and the like.
As a result, a huge three-quarters of
respondents felt that CISOs should not
be part of the overall leadership team.
Their role instead, they said, was simply
April 2015

FEATURE
to be accountable for any organisational
data breaches (44%).

A worrying 28% also pointed out that the actions of

their CISO had actually had
a negative impact on the
financial health of the
organisation
Mike Gillespie, director of information security consultancy Advent IM,
explains that one of the problems here is
that infosec professionals are all too frequently promoted up the management
chain without having suitable experience
or being given any pertinent training.

Language barrier
Another issue is that the profession is
comparatively young, having only been
in existence for the past 30 years or so.
This means that the current generation of
practitioners often started their careers as
hobbyists, but found that they were able
to make a living doing what they enjoyed.
The opportunity to follow a more structured, formal career path associated with
professions such as lawyers or accountants
was simply not open to them.
A key challenge as a result, says
Gillespie, is the language barrier that
often exists between them and senior
business leaders. Its a combination of
infosec people not speaking business and
the business not speaking techie, so they
just dont understand each other, he
explains.

How executives view CISOs. Source: ThreatTrack Security.

practitioners have a tendency to talk

about functionality, peppered with lots
of acronyms and jargon.
Business leaders, on the other hand,
often fail to understand the seriousness
of managing information security properly or the need for generating cultural
change from the top down. A study by
management consultancy PwC indicates,
for example, that, even after last years
high profile security breaches at firms
such as US retailer Home Depot and
Japanese electronics giant Sony, a mere
two out of five boardrooms actively get
involved in formulating the organisations overall security strategy. The
Global State of Information Security
Survey 2015 was based on interviews
with 9,700 CEOs, CFOs, CIOs, CISOs
and security practices across more than
154 countries.2

Even after last years high

profile security breaches
at firms such as US retailer
Home Depot and Japanese
electronics giant Sony, a mere
two out of five boardrooms
actively get involved in formulating the organisations
overall security strategy
In other words, rather than talk about
risks and threats in plain English, infosec
April 2015

Mike Gillespie, Advent IM: Its a combination

of infosec people not speaking business and
the business not speaking techie.

But it seems that an unlikely ally in

the quest for board-level representation,
or even just a senior leaders ear, may
now have finally arrived in the shape
of cyber-security insurance.

An unlikely ally
Although such insurance may have been
around for at least a decade in the guise of
general liability or business interruption
policies, it is only over the past 18 months
or so that it has started to appear in the
form of separate, dedicated products.
The creation of this specialist market
has been sparked, of course, by the high
level of well-publicised, and costly, megaincidents that have taken place lately,
leading to insurance companies spotting a
gap in the market and deciding to fill it.
And, interestingly, among the large organisations that PwC spoke to in its study,
around 51% had already bought into the
idea and made some kind of purchase, up
from 45% the previous year.
In fact, so popular is it proving that
Juergen Weiss, managing vice president of
Gartners industry research group, valued
the total market at around $1.7 billion in
2014. He is also forecasting growth rates
in the double digits although he puts
current penetration levels at more like
25-35% with the US being the largest
market by far as a result of its data breach
notification laws, which have been enacted in all but three of its 50 states.

Computer Fraud & Security

17

FEATURE

The average total organisational cost of a data breach over two years. Source: Ponemon Institute/IBM.

This legislation makes it necessary

to inform customers should a security
incident take place, something that
has proved to be a costly business for
organisations, not just in clean-up
terms, but also because of the brand
damage and subsequent loss of business
that results from going public. Industry
research body the Ponemon Institutes
2014 Cost of Data Breach Study:
Global Analysis, for instance, points
out that the average price tag for dealing with a security event last year was a
huge $3.5m, a leap of 15% on the previous 12 months.3

Although around 80-90% of

premiums are currently purchased in the US, last years
high profile breaches and the
resultant media attention
have also led to growing
interest in other territories
But although around 80-90% of premiums are currently purchased in the
18

Computer Fraud & Security

US, says Weiss, last years high profile

breaches and the resultant media attention have also led to growing interest
in other territories too. Moreover, the
fact that Europe is due to introduce
European-wide data privacy regulations
in 2016 also means that we can expect
to see a growing appetite outside of the
US, as the legislation is expected to
include data breach notification rules of
its own, he adds.

Immature market
The most likely sectors to put their hands
in their pockets and buy cyber-security
insurance today, meanwhile, are aerospace
and defence, automotive, pharmaceuticals, utilities and financial services.
But a key concern at the moment is
that the market is far from mature. A big
problem here is the lack of clear standards for defining information security
risk in an insurance context. This means
that too many insurers offer one-sizefits-all policies based on information

provided by customers on forms that

tend to swing from being extremely
basic to bewildering complex.
To try and remedy this hit-and-miss
situation, a number of the larger providers are now starting to hire information
security experts in order to help them
come up with relevant data models.
These models will be used to assess risk,
which in turn will inform the kind of
policies, premiums and pay-outs that
customers can expect.
To get car insurance, you need a valid
driving licence and to declare any points
so that they can work out how safe a
driver you are, Advent IMs Gillespie
explains. It goes into a matrix and they
calculate the premium from that. But
there are no models like that for cyberinsurance at the moment.
Another problem is that, while
there are about 25 insurers, including
Zurich, Allianz and Chubb in the UK
alone, the nature and quality of their
policies vary widely, with some being
subject to high numbers of restrictions
and exceptions. But this lack of level
playing field, says Gillespie, inevitably
makes the sector very confusing for
customers. There are a range of policies, but no real benchmark and so
its very hard to compare them effectively, he says.
To make matters worse, all too few
information security practitioners are
even included in cyber-security insurance discussions in the first place.
Control of the insurance portfolio has
traditionally fallen under the remit of
company secretaries, finance directors
(FDs) or risk officers who generally have
good relations with their brokers and
rarely think to consult their infosec colleagues despite the specialist nature
of the questions being asked on policy
application forms.

Missing a trick
But even if they do ask, it appears that
many practitioners are cynical about the
value of such cover anyway as, despite the
April 2015

FEATURE
high cost of dealing with breaches, they
fail to understand why it is necessary.
According to a poll conducted at the
Infosecurity Europe show last year, for
instance, more than two-thirds claimed
that their organisation did have some
form of cyber liability insurance in place.
On the other hand, 63% professed
themselves sceptical that insurers would
pay out if they were hit.
The problem in taking such a stance,
however, is that infosec professionals
could be missing a trick. The issue is
that, as the insurance industry continues to ramp up the amount of noise it
makes about its new cyber-baby over the
year ahead, brokers will inevitably start
raising the matter with whomever looks
after the insurance portfolio. The portfolio holder, in turn, may well give their
head of security a visit to find out more,
putting them on the back foot if they
know very little about it.

Facilities managers may

not take out insurance for
floods and the like, but they
all know about it, and they
wouldnt say weve got a
sprinkler system so why do
we need insurance?
Neil Hare-Brown, chief executive of
risk management consultancy Storm
Guidance, which advises insurers, brokers and customers on everything to do
with cyber-security insurance, says: If
you think about it, facilities managers
may not take out insurance for floods
and the like, but they all know about it,
and they wouldnt say weve got a sprinkler system so why do we need insurance? But thats effectively the line that
infosec people are taking.

April 2015

and how its being mitigated and insurers want to know that too.

Getting a good handle on

the whole insurance situation will only become more
important over time. This
means that practitioners
would be well advised to get
ahead of the curve
Neil Hare-Brown, Storm Guidance:
Infosecurity people should take the
conversation to senior managers.

Instead, rather than see cyber-security

insurance as a potential threat, HareBrown encourages practitioners to view it
as a bloody good opportunity. He adds:
Infosecurity people are always harping
on about having no representation on the
board and that no-one at senior management level listens to them. But rather
than wait for the baton to come their
way, they should take the conversation
to senior managers. Itll help them score
brownie points and theyll be taken more
seriously as theyll be seen to be more in
tune with the business.

Becoming an influencer
While Hare-Brown does not think that
practitioners are likely to become the
purchasing decision-makers any time
soon, he does see them playing a key
role as influencers.
But Im worried that, unless they pick
up the baton, they wont even be that and
the FD will just buy something and not
even ask them about it, which wouldnt
be good, he says. Its quite vital that
information security is involved as they
understand the risk to the organisation

Another point to bear in mind, in

the UK at least, is that cyber-security
insurance is becoming increasingly
bound up with the governments Cyber
Essentials Scheme accreditation to
encourage businesses in general, and
small-to-medium enterprises in particular, to put basic security controls in
place. Compliance with CES standards
is already compulsory for government
departments and all IT service suppliers
to the public sector although history
tells us that such requirements generally tend to filter down elsewhere. But
accreditation in future is also expected
to include taking out cyber-security
insurance albeit at lower rates than
those organisations that have not been
accredited.
As a result, getting a good handle on the
whole insurance situation will only become
more important over time. This means
that practitioners would be well advised to
get ahead of the curve and be proactive in
keeping senior managers in the loop.
However, as Advent IMs Gillespie
warns, despite all of this, cyber-security
insurance should never, ever be viewed
as a replacement for getting the basics
right hence the need for infosec
professionals to be involved from the
ground up.
Continued on page 20...

Computer Fraud & Security

19

FEATURE/CALENDAR
...Continued from page 19
Insurance is a useful tool in the
toolkit. Everyone can see the reasons
for having it, but it cant be at the cost
of ensuring that you have good quality
processes, policies and controls in place,
he says. The danger is that people buy
the premium and forget to do the foundation work, but unfortunately, on its
own, insurance is just a waste of money.
Gartners Weiss agrees. I think it is
worth looking at insurance if you treat
risk management from an holistic perspective by examining the risk of occurrence versus impact, he says. But in no
way should it replace good risk management its really just a complementary
addition.

experience of print, having worked for

publications ranging from The Guardian
to The Manager. She returned to the UK
from South Africa at the end of 2014 where
she wrote a lifestyle blog for International
Business Times.

Cath Everett has been an editor and journalist for more than 20 years, specialising in
information security, employment, skills and
all things HR. She has worked in the online
world since 1996, but also has extensive
...Continued from page 3
States, he said. This order formalises
the administrations ability to use these
tools, as the US has done in the past
with other types of criminal activity.
He added that the order expands
the US Governments options when
responding to attacks, but that the
potential response by other nations is
less clear. If the administration actually
exercises these economic options, well
experience previously unknown political friction between major countries.
The most obvious targets of concern are
Russia and China, but the world is economically and technologically interconnected in complex ways that make the
consequences hard to predict. Spheres
of economic influence are broader than
geographic borders. Changes in how we
respond as a country to cyber-attack will
push the difficulties in accurate attribution to the forefront. The US will have
to be very, very sure of the perpetrator
before pulling the economic trigger.
Corey Thomas, president and CEO of
Rapid7, also believes that the effectiveness of the new approach remains to be

proven, but generally welcomed it. At

first blush the framework looks pretty
reasonable. It includes thresholds for
the harm that must be caused in order
to pursue this kind of penalty, as well as
details on the process for vetting perpetrators, he said.
Anti-hacking legislation often has
a potential chilling effect on security
research, so Thomas said he thinks
its important that the Department of
Treasury has stated it doesnt intend to
pursue researchers under this order.
Security research is essential for understanding how cyber-attackers operate, and
identifying issues that provide them with
opportunities for exploitation, he said.
The findings help businesses and consumers protect themselves, yet in order
to do this, researchers have to behave like
attackers, and this can lead to legal complications and uncertainty. Its challenging
to create policy that protects researchers without providing a backdoor for
criminals, so its a positive step to see
the Government clearly distinguishing
between types of actors and committing
upfront to not pursue researchers.

20

Computer Fraud & Security

1922 May 2015

OWASP AppSecEU
Amsterdam, Netherlands
https://2015.appsec.eu/

References
1. No Respect: Chief Information
Security Officers Misunderstood and
Underappreciated by Their C-Level
Peers. ThreatTrack Security, 2014.
Accessed Mar 2015. www.threattracksecurity.com/resources/whitepapers/chief-information-securityofficers-misunderstood.aspx.
2. Global State of Information Security
Survey. PwC. Accessed Mar 2015.
www.pwc.com/gx/en/consultingservices/information-security-survey/.
3. 2014 Cost of Data Breach Report.
Ponemon Institute/IBM. Accessed
Mar 2015. http://www-935.ibm.
com/services/us/en/it-services/security-services/cost-of-data-breach/.

About the author

EVENTS

2629 May 2015

Hack in the Box
Amsterdam, Netherlands
http://conference.hitb.org

2628 May 2015

IFIP SEC 2015
Hamburg, Germany
https://ifipsec.org/2015/

24 June 2015
Infosecurity Europe
Olympia, London, UK
www.infosecurityeurope.com

23 June 2015
Infosecurity Intelligent
Defence
Olympia, London, UK
www.infosecurityeurope.com/
intelligentdefence

2630 July 2015

AHFE Human Factors
in Cyber-security
Las Vegas, NV, US
www.ahfe2015.org/board.html#hfc

16 August 2015
Black Hat USA
Las Vegas, US
www.blackhat.com

29 September 2015
Government IT Security
& Risk Management
London, UK
www.whitehallmedia.co.uk/govsec

2021 October 2015

Cyber-security Summit
Minneapolis, US
www.cyber-securitysummit.org

April 2015