Good morning, CISO!
Have you ever had that frustrating conversation with your intelligence analyst where she comes to you and asks, “What are your intelligence requirements?” and you think, “What the hell? YOU are the intelligence professional; why are you asking me? That’s your job.” Let me help both of you with an example of where to start.
Cyber insurance. Your organization has purchased a multi-million dollar policy. The board members congratulate each other on how cyber-savvy they are, the CEO is happy, and everyone is now sleeping better. The pesky underwriter kept asking for this and that, and your people scrambled to get all the information over to the insurance firm on time. But mission accomplished.
But now, six months have gone by. You are still covered by the insurance policy, but are there any changes to the information you sent to the underwriter since then?
If a breach occurs over the weekend, what is the likelihood your insurance policy will pay out?
These two questions are a great place to start if you want meaningful intelligence requirements.
A quick query with ChatGPT on the top 5 issues a cyber insurance underwriter looks for:
- Security measures: Underwriters want to know what security measures your company has in place to prevent cyber attacks. This includes firewalls, encryption, and employee training programs.
- Data backup procedures: Underwriters will want to know if your company has a plan in place to backup and restore data in the event of a cyber attack.
- Incident response plan: Underwriters will want to know if your company has an incident response plan in place to mitigate the damage caused by a cyber attack.
- Past incidents: Underwriters will want to know if your company has experienced any past cyber incidents and how they were handled.
- Third-party vendors: Underwriters will want to know if your company uses any third-party vendors that may have access to sensitive information and what security measures are in place to protect that information.
This list is by no means exhaustive. You know the information you respond with is not dynamic and only represents a snapshot of your org when issuing the policy. Would any change reduce the likelihood of your policy covering the costs?
- Do we have [X Security Tool]? Yes. But does it work? How do we know?
- We had an incident in the past and developed new IR plans. But have we tested them? When? Has anything changed to make them unviable?
- Has our law enforcement contact changed? Do we know?
- Have our third-party partners experienced any events? Do we know what happened? Does our hunt team know what to look for?
So there you go. Happy Saturday.
#threatintelligence #CISO #cti #riskmanagement #cyberinsurance #requirementsmanagement #reqfast