At Black Hat Las Vegas, in a session titled ‘An insider’s guide to cyber-insurance and security guarantees’, Jeremiah Grossman berated the cybersecurity industry for not backing itself, and for allowing the cyber-insurance industry to eat up budgets that could be spent on buying the technology to prevent a breach.
Looking at statistics comparing new information security investment versus cyber-insurance spending from 2014 to 2015, Grossman reported a $3.2bn spending on cyber-insurance and $3.8bn new spending on information security. He called this an “indictment of our industry. If a business has $100 to spend, they are equally likely to spend it on cyber-insurance than cybersecurity. They don’t trust our technology to stop them getting hacked.”
The cybersecurity industry doesn’t trust itself to protect customers either, Grossman lamented. At Black Hat last year, an attendee survey showed that three quarters of attendees thought they’d get breached in the next year. “We don’t even believe we can protect ourselves. There is a $75bn annual spend on cybersecurity and what do we get for that? Hacked all the time! We can do better,” he insisted.
The cybersecurity industry offers no guarantees to its customers, and that, said Grossman, is unacceptable. “Our technologies offer no guarantees, no warrantees, no refunds or return policies. We wouldn’t accept this in any other industry. It makes us a $75bn garage sale!” The time has come to start putting guarantees on what we say our technology can do, said Grossman.
“Why can’t we guarantee security like the bad guys do?” asked Grossman, referencing malware writers who offer guarantees. “Are we so ignorant to how our products perform? Or do they work so badly we wouldn’t dare guarantee them?” He pondered the irony that financial services guarantee the safety of their customer’s money based on the information security technology that our own vendors won’t guarantee.
Grossman said there is a big opportunity for the industry to get its credibility back, and had two calls to action for the audience:
- Security vendors: Please start offering guarantees on products
- Customers: Please stand demanding guarantees from vendors
Cyber-insurance is a hyper-growth industry, worth an estimated $3.5-4bn in 2016. “It’s only a matter of time before information security’s master changes,” warned Grossman. “Soon, we’ll be dictated to by the insurance industry, not compliance.”
The insurance industry doesn’t know much about information security, but they’re starting to learn, Grossman said. “They’re coming to our conferences to learn, and we need to go to theirs, so we can bridge that gap.”