Advisen: What do you see as the greatest cyber risks today?
George Gerchow: The ‘insider’ threat. It started to gain momentum last year with the NSA and Snowden and then gathered pace with Target late last year.
Now, we’re starting to see a development from the company just being publically humiliated by the data breach and associated fines. Just last week a healthcare company out of Florida was the first company had to pay the people whose data they lost – that’s going to cost it up to $3 million.
So things are really starting to change. But it’s the insider threat that remains at the top throughout 2014 and 2015.
Advisen: What will be the greatest threats in 5 years’ time?
George Gerchow: It will still be the insider threat, but a different insider threat. As people start adopting the cloud more, the insider threat will increase on the provider side – they’re going to be great targets for the bad guys.
A huge amount of people have their workloads with service providers. You have multi-tenant, shared resources and even intellectual property being hosted up there… I can’t even put a scope on the magnitude of it.
When, for example, service providers Amazon or CSC gets infiltrated from the inside, they’ll be able to take down dozens or hundreds of companies at once, rather than just one.
It’s going to be interesting to see who’s going to be held accountable for what happens in the event of a breach.
Advisen: Is the insurance industry doing enough to adequately address these risks?
George Gerchow: No, they’re not doing enough to engage with the fast pace of changing technology. I don’t think enough education is taking place.
In order to provide meaningful solutions, the insurance industry has to start getting ahead of threats – especially the cloud movement.
There’s always a disconnect between the business-oriented or process people and the technology side of cyber. The former believes they don’t have to be on top of the technology but it is sufficient to follow a process to mitigate risk. The technology people believe that the business folks don’t know what they want and don’t define the control requirements well enough.
In reality, you’ve got to get a mix of both. You don’t have to be deep into technology on the business side, but you still have to know what’s happening with your data, where it’s being exposed, how it’s being accessed.
If you can’t really understand that, then you can’t measure the risk – and that’s where I want the insurers to be.
Today, there is an unhealthy reliance on measuring compliance – which I’m a huge fan of – but that doesn’t mean you’re secure.
I’d like to see the industry getting back to measuring and gauging risk, and I see the change coming with a focus on the cost of risk.
The more companies can start boiling to the cost of risk, with the help of data, the better their mitigation plans will be.
Advisen: What keeps you awake at night?
George Gerchow: The biggest thing that bothers me is how ill-prepared IT organizations are for what’s happening with the cloud movement.
Companies really don’t know what their plan is with regard to the cloud.
The deconstruction of IT and deconstruction of security has already taken place in many organizations and I’d hate to see everything being run by the external provider and for pretty much IT to die.
It bothers me because I have an IT background and if you evolve in a certain way with IT and InfoSec, you can help companies get a competitive advantage and make their revenues & give them a competitive edge. They don’t have to control every single workload but be more of a broker to these workloads moving.
IT tasks should morph into other sections of a company. But I speak to IT Executives whose goal is to 100 percent get rid of their IT shops by 2015.
They are happy to outsource that responsibility and just keep a track of the risks from afar.
But what happens when that provider gets compromised? Or you’re unhappy with the cost of outsourcing and you want to shift that workload again? Then you don’t have that IT expertise in-house any more…. So if those responsibilities can morph into other areas of the company, then great.
Advisen: In your opinion, what is the single most important cyber risk development in the past 12 months?
George Gerchow: It’s been amazing to me how people are really starting to adopt open source and do some really great things with it, to really give their companies a competitive edge and a brand new revenue stream.
I didn’t see it coming at the speed that it has – and it is really the thing that is driving that whole cloud movement.
I also expect to see traditional vendors (such as VMware) playing more with open source vendors – providing that solid foundation but adopting a lot of open source that gives the customers the ability to develop where they want and how they want at the speed of light.