Insurer IAG has modelled the financial cost that a data breach or ransomware attack would have on its business, in part to understand how much proposed infosec investments might offset its losses.
Head of cybersecurity and governance Ian Cameron told IBM Think 2018 in Sydney that the “value-at-risk modelling” project called upon the company’s actuarial expertise to put numbers on different types and levels of security threats.
“Because we’re an insurance company, we can use actuarial methods to price or model what the costs of a loss event would be,” Cameron said.
“If we have a major data breach or a major ransomware attack, we’ve done some really great work in the past 12 months to model the net cost of losses to our organisation in terms of the loss of productivity, the cost of advertising to address the concerns of our customers, the legal costs, and the costs of regulatory oversight.
“We’ve been able to work out the distribution of loss from a small event to a very big event.”
Cameron said IAG had taken its modelling “one step further” by using it as the basis for “what if” scenarios around the impact that different security investments might have in reducing potential losses.
“What if we had all this extra security in place?” Cameron said.
“We’ve been able to calculate what security controls are really going to be most effective in bringing that cost of impact [of an incident] down.
“This is fairly novel and it does take some investment [to achieve].”
Cameron said that organisations wanting to pursue a similar project could likely achieve a similar result with less sophisticated economic modelling.
“I think it really just means having workshops with key people across your business to run through the scenarios, get their opinion on what the minimum or maximum costs are, and add that together and then understand what that might look like if you had better security,” he said.
“How much would that loss be reduced?”
The modelling is not just helpful in understanding the impact of different threats and investments, but in providing a footing for security risk discussions with the business.
“It’s really important to start with a risk discussion,” Cameron said.
“Too often we jump straight into solution mode [with the business] and say ‘you need all this security’ and sometimes honestly it could be overbaking it.
“Security has to be commensurate to the value of the information that we’re trying to protect.
“So i think the key message is really to start with an honest discussion with the business around what the threats are, and have a really good educative discussion around what the likelihoods and the impacts will be, and that will then better arm you to understanding the solution and level of security that needs to be applied.”
Baking security into cloud
Cameron said IAG is currently “in the thick of” a migration of workloads from its own data centres into the cloud.
“That’s forcing us to fundamentally rethink and challenge ourselves around the methods that we’ve used in the past to ensure that our data is adequately protected,” he said.
One of the focuses of the security team is around baking security into the process by which code is developed and prepared to run in the cloud.
“Right now, we’re trying to build security into DevOps,” Cameron said.
“We’re doing a lot of work to try to decentralise the [security] function, to teach developers how to help us do security as code, and to bake security into the continuous delivery toolchain.
“As a security team, that means that we have to learn a whole new language to talk to developers so we’re experimenting with new ways of engaging them.
“We want to teach them how to be our foot soldiers, our security champions, and we’re doing that by letting go and letting them do some [security] for us.
That’s the only way we’re really going to be able to achieve some of the scale, agility and adaptability in a cloud environment. We can’t really do that using the traditional operating models that we’ve tried to apply in the past.”
Ry Crozier attended IBM Think 2018 in Sydney as a guest of IBM.