The Security Institute’s View

Posted On 15 Mar 2018
Comment: Off

“Risk comes from not knowing what you are doing. Price is what you pay. Value is what you get. Someone’s sitting in the shade today because someone planted a tree a long time ago” Warren Buffett’s words are apt in describing today’s security environment. The more that we work together in generating holistic solutions, the better the results in the long term. Rachel Anne Carter focuses on the role of the insurance industry in the delivery of security solutions.

The security profession as we understand it includes a variety of security generalists and specialists: corporate and commercial security practitioners, police and law enforcement professionals, intelligence operatives and military personnel. However, when thinking more broadly of those who provide solutions to security breaches, we also have insurance providers, lawyers and others whose work directly affects security outcomes or regulates behaviour, and thus brings in different bands of membership from corporates or Government departments.

Holistic solutions are essential. When there’s a lack of collaboration and an entrenchment of the silos, there’s a duplication of resources and an escalation in costs. Even worse, there’s the danger that certain threats will fall into the cracks between them.

Within the security profession, it’s now being recognised that cyber security should not be regarded as a silo. Rather, it’s everyone’s business. Converged security solutions are necessary. The exact same principle applies to the integration of other specialisms.

The insurance industry is one of those sectors resting on the outer edge of the security industry, and not always certain of its place within the security sector. Insurance is, of course, a security measure. Greater knowledge, learning and mutual benefits will emerge from breaking down the existing silos, generating a more communicative experience and achieving holistic security strategies. As a direct result, many insurance companies are now seeking to engage with the security business sector on a somewhat more effective footing.

Taking the example of cyber insurance, as we innovate, adapt and develop product and service offerings, we’re seeking to be part of a holistic security experience. Although insurance is critical to the economic security of a company, entity or individual after a cyber attack, we do of course recognise that insurance alone isn’t enough.

In order to address cyber risks, we seek to develop a joined-up approach where we can look at the problem of cyber threats and its transformation as a multifaceted issue and then respond accordingly.

Understanding and insight

Insurers have the best possible understanding and insight into economic protection against business risks. There’s often a convergence of physical and cyber risks. In some cases, the physical risk may be about access to a building or access to computer systems or servers, for example. This requires specialists in both areas to work together, and both types of specialist to have a strong working knowledge of the other’s domain. In the future, the distinction between the two may well disappear entirely.

The insurance industry also relies upon technical cyber professionals who have specialist knowledge of IT and cyber infrastructure, vulnerabilities and programming capabilities and who can implement technical solutions. The ability of insurance, physical security and technical cyber experts to work together to generate holistic solutions will be preferable to a pure economic solution.

The economic aspect of the solution within a broader security strategy will, however, aid the recovery process and enable a company to have the cashflow required to continue their operations after an event has transpired.

Security breaches rarely affect only one part of a business. Rather, they’re more likely to impact several areas and may even affect the overall functionality and operability of a business (even if only temporarily). On that basis, a solution accounting for the various impacts is key. Generating the required information about the potential impact(s) of security breaches involves intelligence gathering, understanding of technical intricacies and behavioural and other observations. This understanding and holistic approach towards mitigating the threat and any potential implications takes into account minimisation, prevention and recovery from security breaches.

Intelligence gathering as well as physical surveillance can monitor individuals, groups, potential state actors or others involved in generating the greatest physical, cyber or other security threats and the broad threat groupings. Law enforcement has a role to play in dealing with criminality, primarily after it happens, and prosecuting where possible those engaged in cyber crime. A joined-up approach will also help facilitate the identification of patterns used by adversaries to carry out attacks and put in place solutions to combat these as well as isolate any potential losses. It’s fair to suggest that collaboration is the strongest force we have available to us.

Collaboration is key

In addition to enhancing understanding, collaboration facilitates cost and time efficiencies as well as an enhanced likelihood of preventing many more security breaches (physical and/or virtual).

Using the same cyber example, a security solution involves taking into account physical risks and ways of minimising these risks, cyber professionals being more prescriptive about what clients and stakeholders must or should do (and regularity) to ensure that systems are as safe as possible and that insurance adapts and optimises its offer while ensuring clarity in existing offerings.

The bringing together and selling of such products and services will benefit all and provide far more robust solutions for clients. This will take the stress, time and inconvenience away from clients otherwise having to source their own vendors to meet a variety of different security objectives.

For the provision of security and the level of insurance cover offered, it’s likely that a higher degree of security will be afforded and that insurance solutions may have higher limits or more extensive coverage. Optimal solutions protecting against all security eventualities will be provided to companies who understand their risks and vulnerabilities and abide by – or are willing to nurture – a strong security culture.

Collaboration will inherently focus on solutions, but it also has an educational element attached to it. The different sectors within the security community can educate each other and also learn from each other. Opening and widening the dialogue between the different sectors is likely to create new business opportunities for all those involved.

Whenever a breach of security occurs, whether it manifests itself in a physical, cyber or other medium, it’s in everyone’s best interest that the breach is contained and minimised, with a strategy for resilience and returning to a state of ‘business as normal’ as soon as practicable duly put into operation.

Breaking down traditional barriers

The breaking down of traditional barriers to promote a joined-up approach sends a very powerful signal to our adversaries. Together, we are stronger. By sharing knowledge, we make it harder for the adversary to exploit the gaps where information doesn’t filter through from one silo to the next. Instead, it provides a stronger position to analyse past events, learn from them and adapt accordingly.

Ultimately, if there’s a loss event, it’s best that everyone’s on board from the security sector, as the only winners from these events are the cyber adversaries who’ve been able to exploit our own entrenched silo system to their own advantage. This is a plea to organisations that they ought to take guidance from the words of business magnate Warren Buffet and start to plant the necessary seeds now.

All-encompassing profession

Security is an all-encompassing profession focusing on the safety of people, business and communities. Insurance is part of the solution, providing an economic and financial buffer.

As the year is yet young, let this one stand to be a turning point whereby there’s greater collaboration, adaptation and modernisation of the way in which various security risks are both perceived and then actively remedied.

Let us become a united force for the future and a growing seed of resentment for our adversaries who are looking to carry out security breaches. If we grow stronger together, then the cyber attackers will realise they’re faced with a harder task when it comes to conducting their criminal escapades.

Dr Rachel Anne Carter MSyI is Director of Research and Policy at The Security Institute and Cyber Innovation Lead at AmTrust

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.