Beyond technology: non-technical jobs in cybersecurity

Understanding risk and underwriting insurance policies for today's digital enterprise

cyberinsurance thinkstock

As technology continues to evolve, so do the risks to information security. The impact of these growing risks has created a demand for more skilled security practitioners, but the broader scope of the cybersecurity industry extends far beyond networks and devices. 

Many larger enterprises have cybersecurity lawyers on retainer, and even more organizations have some form of cybersecurity insurance whether it is with third-party vendors or for liability risks. That's good news for those non-technical folks who are entering into the legal field or the insurance industry.

At a recent NIST Cyber Security Framework (CSF) panel discussion on cyber liability insurance, Rick Tracy, CSO at Telos Corporation, heard about the ways in which insurance companies are using the CSF to help better understand and underwrite cyber risk.

[ ALSO ON CSO: Top 10 ways to retain IT security talent ]

Tracy said, "CSF addresses a broad set of issues beyond technical security controls that can contribute to the accumulation of cyber risk, such as roles and responsibilities, awareness and training, security processes and procedures, incident response, recovery planning and communication."

That communication piece is a sector of the industry that will continue to grow as the threat landscape continues to shift in unpredictable ways. The evolution of the information security marketplace opens doors of opportunity as enterprises will need the skills of both technical and non-technical professionals.

In February of 2013, an executive order was put forth by the president requesting NIST to develop frameworks across 16 to 17 sectors, from transportation to communications, specific to managing cyber risk. Tracy said, "The insurance industry and the Department of Homeland Security (DHS) had taken an interest in order to underwrite policy with a better understanding of risk."

The idea from the government's perspective was that, "If more companies were able to buy insurance, it would be less likely that the government needs to help because the market would be taking care of recovery on its own through the conventional method of using insurance," said Tracy.

As a result, the commercial industry began to see the NIST framework as a way to help with cybersecurity insurance, and it served as an underwriting tool.

"If not all almost every insurance company is aware of  the framework and is in favor of using it to help them," said Tracy. Because cybersecurity insurance is so new, many insurance companies don’t have good data to underwrite policies right now. "Unlike health, auto, or fire, insurance companies don’t have actual data to understand real risks to write cyber policies better," he continued.

Cyber is one of the few areas where there is a real growth opportunity, said Tracy, and in order for the insurance agencies to grow, "They need to figure out how to underwrite cyber risk better so that the coverage is worthwhile for the enterprise. They need good information to make those decision," Tracy said.

Coverage, of course, depends on the business and the size of the organization, but as breaches have become commonplace, every business needs to prove that they have taken measures to protect their assets. In the aftermath of a breach, a company will be asked more than generic questions like, Do you have a firewall? Investigators will want to know, Do you have disaster recover? Incident response plan? Have they been documented and tested?

"Cyber security protection has to be ongoing and practiced, not just in existence. Companies will need to provide evidence that they actually exist," said Tracy.

Insurers will also take a higher level of comfort if enterprises can verify their policies and plans. The framework is something that insurance companies are using for all organizations.

"It's not mandatory, but a lot of pressure is being levied by the FTC and FCC, which has basically said that companies that ignore cyber risk do so at their own peril. The court is going to force the issue, so as a company, if you can’t demonstrate that you practice reasonable risk management practices, you really hurt yourself in a court of law," Tracy said.

As the legal pressure grows heavier, more and more enterprises will be relying upon cybersecurity lawyers and insurers to prove that they are aware of risks and taking the proper measures to manage those risks. This means more jobs that don't require candidates understanding how to manage a network and analyze alerts.


Copyright © 2016 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline