For companies and leadership in the process of committing corporate dollars to Cyber-related investment, we see the following 10 requirements as “must-haves” in terms of evaluating and then selecting 3rd-party solution providers. Today, providers are much more technology, monitoring and data pattern (AI) oriented. Unfortunately, too many organizations believe that any generally accepted standard promoted by a large advisory firm or consulting company enables adequate protection against “future” Cyber threats. We clearly know that many of these tools do in fact accelerate the response to an attack but do not predict nor prevent the majority of high probability attacks that will occur in the future. It is this “unknown future” that today’s vendors simply ignore.
These vendor practices are not without material flaws. Control standards are high-level and generic in nature and easy to subvert. In fact, an organization can be 100% compliant with a standard such as NIST yet be susceptible to a threat so impactful they could be out of business in short order. Examples like Equifax, Target, Department of Homeland Security and the Securities & Exchange Commission are abundant. These key requirements for choosing a security vendor are proven experience in:
- Treating Cyber Risk as catastrophic in nature.
- Modeling Cyber Risk across the enterprise in a comprehensive non-intrusive manner.
- Establishing Cyber related IT investment strategy and planning based on quantifiable security control weaknesses.
- Modeling Cyber Risk across the enterprise against a future state IT and network infrastructure environment.
- Forecasting Cyber Risk in terms of risk of loss stated (denominated) in dollars and probabilities.
- Using universally adopted and generally accepted statistical methods that industry, corporates and insurance companies would deem as viable and legitimate in terms of a method for measuring risk.
- Establishing a management console for tracking the progress of planned IT and network infrastructure investment against the actual changes made to the environment over time.
- Using actual Insurance claims data as a part of modeling the scope, scale, and extent of damages and dollar risk of loss associated with Cyber-attacks.
- Modeling Cyber Risk using a robust risk management model, applying a high volume of attacks and combinations therein and in producing an output that can be understood by IT Security, organizational leadership, and Boards.
- Applying the above capabilities across all major industries, including critical infrastructure.
In closing the most powerful unassailable approach we have seen for properly anticipating, prioritizing and even sharing “costly-to-remediate” risk with insurance underwriters includes these 10 requirements.