• United States




Zero Trust: Why ‘cyber insurance’ offers no GDPR compliance

May 11, 20184 mins
ComplianceData and Information SecurityGovernment

With the finable GDPR compliance deadline just weeks away, the vultures are circling – and leading the pack is a group of companies touting so-called ‘cyber insurance’. While the majority of IT security vendors are opting to scare the heck out of organizations with their demands for rip and replace strategies to safeguard personal data, several small business insurers are opting for a sugar pill instead. Both approaches are highly questionable and should indeed be viewed in line with the Zero Trust ethos now widely advocated as cyber security best practice.

Unacceptable practice

Virtually every business is struggling to get to grips with the challenges of the new EU General Data Protection Regulation (GDPR).  But the current feeding frenzy, from IT vendors to ‘GDPR data experts’ and, now, insurance companies is, quite frankly, unconscionable.   

Offering an insurance policy to ‘transfer the risk’ of cyber security breach is nonsense; and emphasizing the new regulatory reporting demands associated with GDPR is a classic piece of misdirection. Wrapping it up with threats about the number of businesses that fail after a security incident is little more than profiteering.

The fact is that no insurer will insure any company against GDPR breach – the costs, from punitive fines to business loss, are simply too high. Secondly, no insurer will cover any organization that fails to protect its data or assets. Leave the door unlocked and the home owner is not covered in the event of burglary – the same applies to poorly secured data. So just what is ‘cyber security insurance’ actually providing?

Essentially nothing. Worse than nothing, since there is a risk that organizations will mistakenly believe the ‘insurance’ provides extra time to understand GDPR and how it affects the business – rather than invest in a cyber security policy today. In fact, the insurance is nothing more than a business cost – and it certainly will not reduce any risk.

If anything, it may exacerbate the situation; the regulator is looking for a policy, a strategy, a clear direction towards safeguarding sensitive data at rest and in transit – no regulator is looking for an insurance policy!

GDPR journey

With just weeks to go now, US organizations should have clear thinking in place regarding securing both data at rest and in transit – but with so many vendors insisting that rip and replace of encryption devices is the only option, it is little surprise that many companies have still failed to make the change.

Just as the concept of cyber insurance is a nonsense, there is also no need to embark on a radical, expensive and disruptive security rip and replace. Finable compliance may arrive on 25th May 2018, but this is not a one-off deadline: regulators fundamentally need to see that companies are on a clearly defined and workable journey towards GDPR compliance – they are not going to radically fine any company that can demonstrate it has taken steps towards improving security.

One of the biggest concerns for businesses – and one that the vultures are leveraging to the max – is the new need to inform both regulator and affected data subjects, as soon as a data breach has been detected, something that is likely to have a devastating impact on business reputation. However, if the data is encrypted, in the event of a breach there will be no need to notify data subjects as the information will not have been compromised.

For many businesses, therefore, it is likely there is nothing wrong with the traditional security and encryption processes being used, provided they have been implemented correctly. It is as and when an organization decides to change the way it processes user data that additional controls and security considerations will be required. The goal is to secure all data in transit regardless of network or service being used – but that doesn’t have to be achieved immediately.

Zero Trust

This ethos is exactly in line with current cyber security best practice: The Zero Trust methodology that abolishes the idea of a trusted network inside the corporate perimeter. It assumes that you can no longer trust anything that is within the extended infrastructure – no users, apps or devices. It assumes that the network can be compromised at any time, by anything.

As growing numbers of CIOs recognize these issues, many are starting to push the disaggregation agenda, concluding that service and security should be separate and distinct from the network infrastructure. Indeed, the less knowledge and control over the infrastructure, the more security control and knowledge an organization requires, especially considering the compliance requirements GDPR is set to impose upon businesses.

It is only by embracing Zero Trust and taking that step towards network disaggregation, embracing a truly network agnostic encryption technology that can secure Data in Transit across any IP network, and achieving centralized security orchestration with full data visibility that organizations can confidently achieve GDPR compliance and control over the personal data they hold.

So, forget the insurance, step away from the rip and replace merchants, and embark upon a journey that ensures the business has done everything possible to protect itself – and its customers – from data compromise.


As VP & GM Americas Certes Networks, Jim Kennedy is a results driven senior sales and operations technology executive with experience in both large corporate and small startup environments. Jim has executive leadership in all aspects of sales management functions, driving sales teams to achieve extraordinary results, rapid growth, turning around underperforming sales teams, and complete profit & loss (P&L) management.

Jim has worked in international sales, business development, strategic partnerships and operations in over 20 countries globally giving him a broad experience in leadership including sales, sales operations, corporate strategy, corporate development, product management, industry solutions, value added service, and global operations.

With over 30 years of experience leading sales teams to growth of both product and services revenue consistently and predictably, Jim has a proven track record of increasing revenue and profitable bottom line growth, while spearheading operational improvements. Jim’s extensive expertise in various IT segments includes IT strategy development, software/hardware infrastructure, voice/data networks, IP telephony, video teleconferencing, software defined networking, hyper-converged computing; private, public and hybrid cloud technologies, network security, SaaS and overall IT-related services.

Jim is a recognized motivational leader with a reputation as a strategic thought leader who has a hands-on tactical execution that constantly delivers results, increase annual revenues, gross margin, drives change, and develops and attracts 'best-in-class" talent.

Jim has successful experience in private equity- and venture capital-backed companies, raising capital, mergers and acquisitions, mature companies, rapid growth companies, restructured organizations, successful sale of organizations and other strategic exits.

The opinions expressed in this blog are those of Jim Kennedy and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.