When Target was hacked right before Christmas in 2013, I thought it would be a tragedy and the store would have to close its doors. I was sure the public had had enough. Then, when Home Depot was hacked, I thought the public would have voted with their pocketbooks — “If I can’t trust you to keep my CC and PI data secure, I don’t care if you pay for credit monitoring, the cat is out of the bag, and it’s YOUR FAULT. I will take my business elsewhere.”
This didn’t happen at all.
When Experian was breached in 2017 and let loose the PI and SSN records of 147M (One HUNDRED and FORTY-SEVEN MILLION) Americans, I thought there would have been protests in the streets and the criminally inept board and executive leadership would have been burned in effigy and imprisoned for life, their savings and assets liquidated and divided amongst the victims.
Nope.
What happened? The democracy was apathetic. They don’t care, they don’t understand, they don’t care to know, whatever — they are apathetic. They don’t respond like their data has been hacked and sold to the highest bidder. They respond like some news happened to a big organization, and it’s none of their business. Then Target has the biggest Christmas season they ever had, Home Depot has increased their stock, and Experian is still doing business as usual.
Well, executive heads rolled. There were dismissals, and some mighty wrist slaps handed out. I’ve never seen a deployed golden parachute, but I’m sure they’re lovely, and they certainly protect the wearer and their progeny well.
I suppose the public is okay with this because the world didn’t end. Criminals didn’t destroy the social fabric of the teeming masses by using compromised data to buy Lear jets and private islands. The cost of repairing the damage has been negligible enough not to ruffle any feathers.
So, what does this do to security programs? Executives now consider the risk of compromise as something they can transfer to insurance. They don’t need a technically experienced leader over security; they need someone who can say the right things and look good (see FBI investigator and general counsel Uber CSO, or DigiCert’s attorney become CISO). Should something go wrong, the cyber insurance will cover the costs of recovery.
So, what does this do to cyber insurance? Costs go up — way up. Insurance isn’t here to help you; insurance is here to make money. If they have to pay out, you’ll have to pay them a lot more. In the Wall Street Journal, in a newsletter, I read that Gallagher Bassett reported a huge increase in cybersecurity claims. I reached out to the WSJ, but they couldn’t provide a link to the data, only the quote:
Between 2019 and 2022, Gallagher Bassett saw an 1,884% increase in cyber security claims from clients, which does not include claims clients track on their own systems. Many of these cyber incidences were due to vulnerabilities in systems due to a lack of proper budgeting for cybersecurity, weak system access points and human error.
Almost 2K% increase? Holy schlamoley! What’s going on? Who’s driving these security programs? Do they know what they’re doing? Well, they might know how to speak C-level, or maybe they passed a bar exam. Do their security staff have the proper training? Probably not (training is often the employee’s responsibility, and who will pay for training if it doesn’t get you a raise or something?). Do the programs have the neccessary budget for the right tools and technology? I wish I could offer insight into why budgets aren’t correct, but this one confounds me still.
How can we do this better? I think there should be a big table sit-down with the insurance companies. I think we should establish a common rubric among industry verticals, and there should be a low bar, medium bar, and high bar for security frameworks/benchmarks. Each level should have a commensurate premium discount for cyber insurance, and these shouldn’t be like PCIDSS requirements and HIPAA/HiTrust (if applicable), which should of course be met when they apply, but more like ISO 27001 and US Privacy laws, NIST 800-53/171 and all international privacy laws, and then SuperSecureAlmostMilitantVeganInternationalStandards (we’d have to come up with that last one).
If a financial benefit to the organization could be achieved by reaching a shared standard, you know the execs would get on board. If organizations achieve a shared standard for security, the risk of compromise could be mitigated rather than transferred. If organizations could do this, public data would be more secure. You could even keep your attorney or nepotistic best friend/family as CISO. Everyone would win. And security engineers would continue to be depressed.
I don’t have solutions for everything at the same time. Sorry.
0 thoughts on “Democracy Isn’t Working the Way I Thought It Would”