Terry Kurzynski is the founder and Senior Partner of HALOCK Security Labs. With a background in security, networking, application development, audit, project management and consulting, Terry has a unique skill set in providing strategic advice to clients. Terry has two related areas of focus; Incident Response Readiness and Risk Management. Terry has pioneered a service philosophy that he calls Purpose Driven Security. This philosophy can best be summarized as measured and preemptive. Together the dual emphasis allows organizations to utilize a limited security budget to maximize protection of their critical information assets.
Christopher P. Skroupa: Considering the constantly evolving tactics of hackers, is there such a thing as too many security measures?
Terry Kurzynski: Yes, in fact, our legislation is built with the concept of risk management to balance the needs of the business with their obligations to protect the public. Laws are made that include risk management in order to be business-friendly. Organizations are to assess risk in terms of impact to their mission and objectives as well as impacts to their obligations and ability to cause harm to others. Security measures are to be implemented to bring down the risk in all categories to an appropriate level, but never to zero. There is always some risk. If zero risk were the goal, we would not drive cars on highways knowing that 40,000 people will die each year in the U.S. from automobile accidents. But the economic benefits outweigh the risks. Each business and organization needs to develop its calculations for acceptable risk; calculations that are defensible in front of a judge and jury.
Skroupa: With laws and regulations calling for businesses to implement required cybersecurity protocols, where does negligence come into play?
Kurzynski: Organizations are left with a lot of variability in which controls they choose to implement, the priority of implementation, and the extent to which they are implemented. Negligence cases are based on one simple question: Did the organization perform its duty of care? If their duty of care was insufficient, they may have a higher liability due to negligence.
The question remains, how does an organization know if they have an appropriate level of care? To find out, we need to ask several questions;
- Does the organization perform a review on a regular basis for risks that could pose harm to others or may impact its obligations? e.g. protecting personally identifiable information (PII).
- Has the organization developed a definition for its acceptable risk as well as a calculus to prioritize risk?
- Does the organization have a plan and is it managing that plan to treat and reduce the risks that it has defined as unacceptable?
If the organization can show strong process and calculus for these questions, they are likely demonstrating an appropriate duty of care. It is possible, however, to increase negligence if the framework and calculus being used is inappropriate. I saw one organization decide on acceptable risk based on whether treating the risk would impact their bonuses. That would be a strong case for negligence if they ignored the harm to the public in favor of their bonuses.
Skroupa: Why have we seen a recent flurry of activity for Incident Response Plans and Readiness with American businesses?
Kurzynski: The current surge in incident response planning and readiness is a result of the recent onslaught of massive data breaches – both in size and number. There are many serious ramifications of not being prepared, such as political threats (cyber warfare). This includes threats to critical infrastructure like energy grids, water systems, transportation systems, etc.
New guidance is coming from the White House and US Department of Homeland Security, including Executive Order (EO) 13636: Improving Critical Infrastructure Cybersecurity and the released Presidential Policy Directive (PPD)-21: Critical Infrastructure Security and Resilience.
A major component of the executive order is the Cybersecurity Framework by the National Institute of Standards and Technology (NIST). The framework seeks to assist critical infrastructure sectors and organizations in reducing and managing their cyber risk. Financial regulators, like the SEC have developed guidance that follows the White House Framework. The framework has a heavy emphasis on incident response readiness including developing an Incident Response Plan and training the staff on that plan. At the same time, we have an explosion in the cyber insurance space. Cyber Insurance carriers are very focused on the ability to respond to an incident and have provided their insureds guidance on incident response readiness. So it is all of these factors that are driving the increase in activity. The security community is finally facing the fact that we are not able to keep the bad out forever and that having a response plan to reduce the liability is a top priority.
Skroupa: You brought up cyber insurance. How are organizations utilizing cyber insurance as a security answer versus implementing security? Can they just buy insurance, rather than implement security?
Kurzynski: No, you can’t just buy insurance to exonerate your organization from its responsibilities. When an organization seeks cyber insurance, the insurance carrier is going to ask tough questions about the applicant’s security controls. They are going to ask about your Incident Response Plan. We are also seeing cyber insurance carriers starting to use risk assessments during the underwriting process, especially for the larger policies. In the near future, when an organization can demonstrate that they understand the risks posed to their organization and have a process to mitigate known risks, they are more likely to get a policy that is priced according to their level of risk. Think about life insurance. An individual applying for a million-dollar policy cannot expect to get a good policy if they live recklessly or are in poor health. The life insurance company will favor someone who has a healthy lifestyle and doesn’t engage in risky behavior. The next wave of cyber insurance will be risk-based where premiums are balanced with risk. Companies will need advanced security programs in place to ensure they are getting the best rates and appropriate coverage.
On October 22, 2015, Skytop Strategies will present, “Cyber Security: Emerging Best Practices in Breach Response and Mitigation Strategies” hosted by Edelman at the Chicago office. Continue the discussion with Terry Kurzynski and chief information security officers, IT security engineers and information assurance analysts at this full-day conference, designed to explore operational strategies that minimize disruptions from a cyber breach.