Security is a process it’s not a checkmark on a checklist

Security is a continuous process of adjustment and improvement as the threat environment changes.  I recently read an article in CPO (Chief Privacy Officer) Magazine about the failure of the auditing process and the idea of auditing in general with regard to CyberInsurance.  The article was pointing out the difficulties that the insurance industry is having in even evaluating the risk of Cybersecurity much less assigning numbers to it.

The article came down to this:  the practice has been before issuing insurance to send the potential insuree a list of potential questions to determine the risk (e.g. do you have MFA?).  These questionnaires are standard insurance practice when say issuing me life insurance.  So, why wouldn’t it work here?  The issuer’s thought is, hey, this is a very broad and deep field, so we’ll just ask a lot of questions.  In this case, 500+.  But, it doesn’t work for the issuers to really determine risk, according to the insurance industry.

Having been on the receiving end of these, one of the reasons that it doesn’t work is the complexity of IT environments.  For example, do I answer that question about MFA “yes” if we have MFA at all?  If it’s deployed to 70% of our environment?  If it is rolled out only to human logins?  What if it’s deployed, but I have no way of independently validating that, so I’m going on then possibly incomplete knowledge of my CTO?

The upshot of this in the insurance industry is uncertainty.  For instance, life insurance works because the human condition is pretty static and only varies with a few factors and on a scale of a decade.  That kind of a thing the insurance industry has downpat based on those few factors like age, medical history, and the pace of medical advances based on years of data.  Tech on the other hand is something that varies with many more factors and evolves every 18 months.  It’s like comparing geometric progression to exponential.  The first the human brain can handle.  The 2nd requires a postdoc mathematician.

The result according to the article has been one of frustration all around.  Insurers can’t fix the quantitative risk and so are very reticent to issue anything but very low value policies for them.  The insurees (me) are frustrated going through the process to such little result.  The only people who are happy are the regulators and auditors who can check off on their list the box that says Cybersecurity insurance y:n but nothing about the quality.

As said above, this comes down to the failures of the auditing method in general.  First, it’s a point in time. IT evolves as pointed out above possibly exponentially. It’s way too dynamic to succumb to questions that assume that that point in time will remain relatively static (e.g. the fact that someone has inherited heart disease won’t change in the course of their entire lives).

So what am I saying?  Let’s not throw out auditing because it performs a very valuable function.  As science teaches us, you need to establish and understand the baseline of a complex system.  But, let’s not stop there.  We should also realize that the system evolves rapidly and dynamically.  For that you need constant automated telemetry ( measuring ) of the state of the system in order to determine its compliance and risk over time.  That might mean employing a postdoctoral mathematician to figure this out.  At the end of the day, both methods have to work together.  If all you are doing all the time is auditing, and handing out findings for others to fix, you really aren’t maintaining your security controls over the system.  A good security program will have both methods:  monitoring (detection) with preventative controls and baseline audits. As we said in the first sentence, security is a process, not a checklist.