• United States




Beyond technology: non-technical jobs in cybersecurity

May 23, 20164 mins

Understanding risk and underwriting insurance policies for today's digital enterprise

cyberinsurance thinkstock
Credit: Thinkstock

As technology continues to evolve, so do the risks to information security. The impact of these growing risks has created a demand for more skilled security practitioners, but the broader scope of the cybersecurity industry extends far beyond networks and devices. 

Many larger enterprises have cybersecurity lawyers on retainer, and even more organizations have some form of cybersecurity insurance whether it is with third-party vendors or for liability risks. That’s good news for those non-technical folks who are entering into the legal field or the insurance industry.

At a recent NIST Cyber Security Framework (CSF) panel discussion on cyber liability insurance, Rick Tracy, CSO at Telos Corporation, heard about the ways in which insurance companies are using the CSF to help better understand and underwrite cyber risk.

Tracy said, “CSF addresses a broad set of issues beyond technical security controls that can contribute to the accumulation of cyber risk, such as roles and responsibilities, awareness and training, security processes and procedures, incident response, recovery planning and communication.”

That communication piece is a sector of the industry that will continue to grow as the threat landscape continues to shift in unpredictable ways. The evolution of the information security marketplace opens doors of opportunity as enterprises will need the skills of both technical and non-technical professionals.

In February of 2013, an executive order was put forth by the president requesting NIST to develop frameworks across 16 to 17 sectors, from transportation to communications, specific to managing cyber risk. Tracy said, “The insurance industry and the Department of Homeland Security (DHS) had taken an interest in order to underwrite policy with a better understanding of risk.”

The idea from the government’s perspective was that, “If more companies were able to buy insurance, it would be less likely that the government needs to help because the market would be taking care of recovery on its own through the conventional method of using insurance,” said Tracy.

As a result, the commercial industry began to see the NIST framework as a way to help with cybersecurity insurance, and it served as an underwriting tool.

“If not all almost every insurance company is aware of  the framework and is in favor of using it to help them,” said Tracy. Because cybersecurity insurance is so new, many insurance companies don’t have good data to underwrite policies right now. “Unlike health, auto, or fire, insurance companies don’t have actual data to understand real risks to write cyber policies better,” he continued.

Cyber is one of the few areas where there is a real growth opportunity, said Tracy, and in order for the insurance agencies to grow, “They need to figure out how to underwrite cyber risk better so that the coverage is worthwhile for the enterprise. They need good information to make those decision,” Tracy said.

Coverage, of course, depends on the business and the size of the organization, but as breaches have become commonplace, every business needs to prove that they have taken measures to protect their assets. In the aftermath of a breach, a company will be asked more than generic questions like, Do you have a firewall? Investigators will want to know, Do you have disaster recover? Incident response plan? Have they been documented and tested?

“Cyber security protection has to be ongoing and practiced, not just in existence. Companies will need to provide evidence that they actually exist,” said Tracy.

Insurers will also take a higher level of comfort if enterprises can verify their policies and plans. The framework is something that insurance companies are using for all organizations.

“It’s not mandatory, but a lot of pressure is being levied by the FTC and FCC, which has basically said that companies that ignore cyber risk do so at their own peril. The court is going to force the issue, so as a company, if you can’t demonstrate that you practice reasonable risk management practices, you really hurt yourself in a court of law,” Tracy said.

As the legal pressure grows heavier, more and more enterprises will be relying upon cybersecurity lawyers and insurers to prove that they are aware of risks and taking the proper measures to manage those risks. This means more jobs that don’t require candidates understanding how to manage a network and analyze alerts.


Kacy Zurkus is a freelance writer for CSO and has contributed to several other publications including The Parallax, and K12 Tech Decisions. She covers a variety of security and risk topics as well as technology in education, privacy and dating. She has also self-published a memoir, Finding My Way Home: A Memoir about Life, Love, and Family under the pseudonym "C.K. O'Neil."

Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). Recently, The University of Southern California invited Zurkus to give a guest lecture on social engineering.

The opinions expressed in this blog are those of Kacy Zurkus and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author