Over the last decade I have personally seen cybersecurity stakeholders evolve to become a more pivotable resource within nearly every industrial enterprise that I deal with. The reason for this is evolution obvious. Cyber risk is has become a central challenge, and experts that mitigate and manage it best are in high demand. With this notion, it is also clear that the old way of managing risk doesn't work anymore.
ICS/OT asset owners today have invested continuously in new cybersecurity and asset visibility tools to better manage their interconnected and expensive Distributed Control Systems (DCS), Energy Management Systems (EMS) and Bulk Electric Systems (BES). After a decade of witnessing this trend first-hand, I ask – is the average industrial enterprise better off?
While I will let the reader come to their own conclusion the question above, I will say that I believe cyber risk is a challenge that must be better reconciled by solution providers and the ICS/OT asset owners that they sell to. In the first half of 2021, ICS/OT-specific vulnerabilities grew by over 40%.
For the sake of insurers and the average ICS/OT asset owner, cybersecurity offerings out there are only one piece of a very large and ever-changing puzzle, and they are crippled with rising cyber threats, and the threats resulting from them. The problem has gotten so severe that there is discussion to reorganize the NIST CSF to add in a cyber insurance component. (Read more from the White House Briefing Room)
Preparing for the Inevitable
The reality is that cyber-attacks are just going to happen, and they will result in damages. Meanwhile, while cybersecurity solutions are working hard to stamp down each cyber-threat as they emerge like a perpetual game of Wack-a-Mole, who’s picking up the financial pieces of when cyber incidents inevitably occur? This is big and growing unaddressed need. For example, imagine understanding what is the ROI is of any investment in cybersecurity, or what is your organization’s exposure to cyber risk is at any given time. How would this change cybersecurity and how cyber risk is managed? My guess is – A whole lot!
Personally, seeing organizations struggle mitigate cyber risk by layering-on to answer more and more cybersecurity investments isn’t working. In fact, I think that sometimes it has left some organizations more exposed to cyber risk in general. If not by direct cyber threats, then to operational costs and the risk of human error. By focusing on protectionist measures, stakeholders become hyper-focused on the impossible task of stopping every single cyber threat, while financial contingencies and remediation pathways go largely ignored. Thus this is very reason why the risk gap has grown so large. (To read more about the cyber risk gap, read the blog from our CEO)
For the average industrial enterprise, senior leadership has a fiduciary responsibility to understand the full scope of their cyber risk exposure and what they can do about it. Forget about best practice – according to Gartner, it is projected that the majority of C-suite leaders may per personably liable by 2024! As far as cyber risk goes, it includes cybersecurity, but also true cyber risk quantification. Without that understanding cyber risk in terms of probabilities and financial terms, no organization can truly mitigate the impact to their business that emerging cyberthreats can pose to their bottom-line, to their employees and shareholders or even regional laws. And there lies the challenge – few organizations know this information and even fewer insurers of cyber risk can underwrite such scenarios.
Incomplete data = Inefficient market
In short, I joined DeNexus because current cyber insurance markets are inefficient. Within the greater ICS/OT cybersecurity and operator community, this is regarded as an obvious fact, yet few have set out to solve it. At DeNexus, we are solving cyber risk for ICS and OT. How?
Well, cyber risk is big (Trillion-dollars big) and global insurance agencies are clamoring to underwrite cyber risk – for the right price of course. But deciphering the right price is synonymous with valuing cyber risk at the client level. Current cyber insurance markets are based on opaque sets of information for risk owners and organizations seeking to transfer their cyber risk. In other words, this would require insurance providers to be cybersecurity and asset visibility solution providers – which they are not. Conversely, cybersecurity and asset visibility solution providers are not insurance agencies. Thus, the cyber risk gap exists.
At DeNexus, we are here to help the industrial world reduce and manage their cyber risk. This is why I joined DeNexus.
Learn more about DeNexus and the DeRISK Platform. Download our solution brief now: