Previously, I’ve talked about four primary risk treatment options: mitigate, avoid, accept, and transfer.
Over the history of the security industry, we’ve tended to focus on mitigation. Implementing controls is where the action is.
As IT has largely become a consumption model, I would argue that risk transfer is catching up with mitigation and becoming a primary approach for many companies. The new world of security is a more streamlined model that involves transferring many types of risk—and many of the associated controls—to third parties in a variety of ways:
Moving IT to the cloud
Public cloud providers have comprehensive compliance certifications. Some of the more sophisticated ones can offer PCI compliance or HIPAA compliance. Some are pursuing ISO 270001. They have robust control mechanisms already established.
Even if a company is stocked with security expertise, it still may be a stretch to make those kinds of investments. Most would rather spend every available dollar designing and building products and bringing them to market. This is especially true for newer, smaller companies or those operating in highly compliant industries. The cloud offers a way to offload some IT functions that may require significant investment, along with some of the security and controls that correlate to those functions.
The key word is “some.” Ultimately the company is still responsible for its customers’ data wherever it resides. But by going to a public cloud environment, the organization can focus more on securing its own portion of the custody chain, freeing up time and budget to invest in business objectives and business outcomes rather than infrastructure and controls.
Offloading internal platforms to SaaS providers
Years ago I was working for a company that had an internal HR platform, which was heavily reliant on spreadsheets. The HR department was working on merit and stock allocations. The VP of HR takes the spreadsheet and copies it—along with all the macros.
Even though the information had been anonymized and cleansed on the surface, the macros underneath kept all the information. All 500 employees inadvertently ended up with the stock options and compensation of the company’s directors and executives. Most of them didn’t know this because it was hidden inside the macros, but some technical employees did catch it.
You can see how relying on an HR professional to be an expert in systems and platforms is problematic. The same applies to any non-technical professional in any department.
Now fast forward—if the company had a modern HR SaaS platform like Workday, that risk would not have existed. It would be instantly mitigated by transferring an IT function that formerly involved a manual process and Excel spreadsheets.
That’s how transfer of risk changes the business. Now the HR person can focus on HR tasks, not on becoming an expert in Excel in order to avoid becoming the latest hapless user who made a costly mistake that hurt the organization.
Writing effective contracts and policies
Another example of risk transfer is one we hear about all the time, often without realizing it: contractual obligations. Whether it’s a EULA or a master service agreement or an internal policy, contracts transfer a certain degree of risk onto users, providers, employees or customers.
A EULA typically informs users that by connecting to a site or web service, the user agrees to a certain level of privacy. They are in a position to do unfortunate things on the site like post a social security number in a chat forum, and the site or service is transferring the risk of those actions to the individual, letting them know the site is not designed to secure privacy.
Codifying things in policy is really a way of writing contracts internally, transferring some risk to employees. The business no doubt needs to do appropriate due diligence and due care, but the employee still has to be relied upon to do reasonable things.
Master service agreements, or MSAs, are a form of transfer more applicable to the B2B relationship, essentially representing a chain of custody for sensitive information. If there’s any way a vendor is going to touch critical data, they must agree to adhere to the same level of controls and treatment as the company.
Lastly…lastly! Taking out cyber insurance
If you’re doing all of these other things right, you should come to a point where you’re essentially focused on your core business, on systems that are inherent to what you do and where your IP and customer data are in your custody.
Now you can think about cyber insurance to cover whatever residual risk is left, because there will always be things over which you have zero control. Just like a city can be inundated by a flood, the same types of incidents can happen in cyberspace.
An insurance policy should never be the be-all and end-all for your risk treatment plan. At the same time, it’s becoming a more common risk treatment option to mitigate the business impact of a risk being realized, and to hedge against unforeseen events.
Of course with the rising popularity of cyber insurance, along with the uncertainty of the world we’re living in, insurance companies are also becoming more sophisticated and choosy. If they’re going to cover a company for millions of dollars, expect their security experts to come in for a lengthy interview—and expect them to review your risk treatment plan.
By offloading risks wherever it’s practical to do so, you can streamline your efforts and build a more effective security portfolio overall. Yes, you are still responsible for protecting sensitive data, but the footprint becomes smaller because you’ve essentially commoditized certain areas. The great thing about all of these risk transfer strategies is this: They allow you more time to focus on your business.