Consider this: depending on which report you read, rates for cyber insurance increased well over 100% year over year. At the same time, providers are limiting what kinds of events they’ll cover and increasing the requirements of the client. (That last part we security pros actually like.) Despite assuming more of the burden, more businesses continue to add insurance and renew their policies, so the market continues to grow.

But be warned. Cyber insurance isn't cybersecurity. I mean, obviously it's not – any more than saying because you have car insurance you won't get into an accident. The reality is that, despite how cyber insurers may sell themselves, they’re simply providing (limited) financial support after an event takes place. They’re not reducing risk to your program.

That’s because cyber insurance companies have learned in recent years what security professionals have known forever: attackers are persistent, evolving and will take advantage of every opportunity they can, and the security landscape is constantly moving. Having insurance can be a good part of your security strategy, but you must understand the role it will play, and that means understanding what it covers in detail. For example, as part of your incident response plan (IRP) are you allowed to contract with your own IR partners, or do you have to use your provider’s? Will they cover ransomware payouts, or does paying hurt your ability to use the policy?

There are lots of details and scenarios to consider. A policy can never be a replacement for strong information and security risk management programs. Organizations still need governance, security controls, monitoring, and action plans in place; just like an auto driver needs to know how to drive, have seatbelts, and a road-worthy vehicle. Yet, many companies are paralyzed with indecision and self-doubt. If designing, implementing, and managing a robust cybersecurity initiative feels overwhelming, here are three places to start:

1. Understand your risk. Assess your organization against a standard security framework such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework or the International Organization for Standardizations (ISO) for information security management. Many times, we will focus on the need for technology solutions and forget that people and processes are incredibly important to protection. Think of this as your written exam before the driver’s test.


2. Engage with experience. Understanding what you can ‘DIY’ vs. where you need help is crucial in managing costs and effectiveness of security and risk management. Often, we see others make it look easy, or we think 'it won't take that long' and end up with partially implemented solutions or exhausting our internal resources, which is never good. Looking at the 'true costs' will often show that hiring a trusted advisor is invaluable. It gets done right – quickly – and works. Most of us had someone teach us how to drive; we didn’t just read a book and hop in a car.


3. Create a plan. There is more cybersecurity to buy than there is money to spend. Looking at everything that can be done and even everything that should be done will present a mountain in front of the business. Examine your highest risks and the priorities of the business, then create a plan to improve things over time. Don't try to do everything at once and implement solutions that align with the business mission. Supercars and hot rods are not built in a day. Even if you have all the parts in the garage, putting the vehicle together is a lot of labor, testing and adjusting. And when complete, you'll still find more things you want to accomplish.

Companies who are tempted to reduce operational costs by relying on cyber insurance rather than proper cybersecurity programs and controls are putting their enterprise at risk. Don’t confuse the two approaches. With cyberattacks becoming bolder and more frequent, organizations must elevate their security operations to protect their stakeholders.

Find out how Avanade is enabling clients to build resilience and minimize the impact of security incidents.