Friday, July 28, 2023

How You Can Benefit From A vCISO: From Ransomware To Cyber Insurance Negotiations

 


The good news is that in the world of Cyber, the number of Ransomware attacks has actually been declining to some of the lowest levels in years.  It reached its height during the COVID-19 pandemic, when everything and anything was a victim (and technically, this is still the case today).  The mantra then and now has been to never the pay the Cyberattacker the ransom amount that they are seeking.  Why is this the case?  There are numerous for this, some of which include the following:

*There is no guarantee that you will even ever receive the decryption keys that are needed to unlock your computer and files that have been heisted. 

*Doing so will only urge the Cyberattacker to come after you again, but this time asking for even more money.

*It will only fuel the appetite for the Cyberattacker (as well as their ego) to launch even grander attacks.  Their thinking here is that if they can do it multiple times on smaller targets, then there is nothing stopping them.

But there are times when perhaps a ransom payment could be thought of, and actually delivered.  One of the best examples of this is the recent Colonial Gas Pipeline attacks.  It brought a great amount of shortages to the east coast, and the gas/oil futures prices were gyrating totally out of control.  To avoid things from getting worse, the CEO agreed to make a $4.4 million dollar payment, and because of that, things started to normalize out again.

But, this was no easy process to accomplish, that I am sure about.  Although the details of it were kept out of the news headlines, I am sure that there was a lot of back and forth between law enforcement and the Cyberattacker to try to work out a lower ransom.  So, simply paying it is not the answer.  If you decide to make a payment or at least attempt to, it is important that you try to negotiate.  Why you may ask?

Well, the primary benefit of this is that ti can give law enforcement the critical time they need to track down the footsteps of the Cyberattacker with hopes of bringing them to justice.  But this negotiation process takes a group of people, with the ransomware negotiator at the helm.  Believe it or not, there are companies that specialize in doing this very task.

But now the question has started come about, is if the CISO should now become involved in this process as well.  Well, there are differing views on this, but a subset of this question is if the CISO should become more involved in the procurement process when it comes to getting Cybersecurity insurance.  After all, if you are hit with a Ransomware attack, and make payment, you will want to get reimbursed by your insurance carrier.

So how can the CISO help in this regard?  Here are some areas:

1)     Will be able to get more information:

When most CISOs start a new position, they are still getting acclimated to what it is in their new IT and Network Infrastructure.  But with the Cyber threat landscape the way it is today, many insurance carriers are demanding a lot more information from businesses with regards to their security practices, and in fact, making them even fill out a lengthy questionnaire which can run as long as 20 pages.  Very often, this is left to the manager of the IT Department to figure out.  But if the CISO were to get involved in this process, not only would make him or her learn quickly about what is going in their new environment, but it would also give a very positive impression to the underwriters of the insurance policy that this business is serious in what they are doing.  And, by having the CISO sign the questionnaire, there can be more assurances that are provided that the right controls are put in place (at least in theory), and therefore, the business will not be a huge risk or gamble to take on.

2)     They can become a good partner:

The truth of the matter is that most people are afraid to work with an insurance carrier.  But if you were to bring your CISO in to the table to work with them, they can actually forge a very valuable partnership.  For example, by filling out the questionnaire, the insurance company can act as a fresh pair of eyes when it comes to reviewing the controls you have in place.  Best of all here is that rather than having to hire an expensive auditor, you can use this new partnership for free.

My Thoughts On This:

Keep in mind not that every company can even afford to hire a CISO in the first place, given just how expensive it is to hire and keep them.  A lot of this is because of the enormous salaries that have to be paid, along with all of the extra perks, such as stock options and other types of bonuses.  Plus, the day of the traditional CISO will most likely come to end soon, as the burnout rate is very high.

But, businesses still do a need a leader to keep the ship on straight and navigable Cyber world.  So, are there any options?  Yes, there is.  This is called the “vCISO”.  This is where you actually hire a highly experienced, ex CISO on a contract basis.  What you pay them is a fraction of what you pay for a salary.

Best of all, you only keep them on for as long as you need them.  You terminate the contract when you don’t need them, and bring them back on board again as needed.  These people are highly skilled in what they do, and even have more contacts that you can penetrate into if you have other needs.

But whatever the situation is, you still need a leader in both Ransomware and Cyber Insurance negotiations, whether they are a direct hire or a CISO on a contract basis. 

 

 

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...