“Historically, CIOs and CISOs have operated in a siloed fashion. CIOs would focus on their IT departments, and not consider cybersecurity as integral to that,” notes Mike Convertino, chief security officer for Arceo, a cyber security and insurance analytics firm. San Francisco-based Arceo aims to bridge the gap that exists between securing companies from cyber threats and insuring them for the costs of responding to incidents. Arceo is bringing together experts from each of those fields, as Convertino attests, to help manage this risk holistically from assessment, to response and to recovery. Before joining Arceo earlier in 2020, he was the CISO at Twitter, with a long career in cybersecurity at F5, CrowdStrike, and the U.S. Military. “For enterprise risk management to effectively address cyber, CIOs and CISOs need to both coordinate on what is the core operation of their business. If you can’t deliver a service to your customer, it doesn’t matter if it’s a production delay or a DDoS attack. You are losing revenue.”
Arceo serves as “a translator between a company’s internal ERM for cyber threats and the insurance industry, helping each to understand the other,” Convertino explains. Cybersecurity and risk professionals each have separate and distinct skill sets and perspectives. But organizations that combine both sets and points of view enable smarter risk management, better protection and greater cyber resilience, he adds.
ERM challenges for CIOs
One of a CIOs’ key challenges in ERM, says Convertino, is getting sufficient, affordable cyber insurance. A major reason is insurers struggle to assemble relevant historical data on cyber losses, so the coverage they offer is more limited and costs more. By contrast, auto insurers have volumes of loss data and new tools to assess risks, making it easier to offer better coverage at premiums that match drivers’ risks, Convertino explains.
As cybersecurity and information security threats grow, strong enterprise risk management depends on a collaborative approach to make organizations safer
“Until cyber insurers can work out the risk tables and better assess cyber risks, companies will have a hard time obtaining really good coverage,” he says. “Arceo is bridging this gap by providing technical risk assessments, which include a world-class evaluation of the security posture, the threats a company faces that pertain to its business and a company’s protection mechanisms as it relates to those threats.”
Arceo also is offering “world-class bundled services–such as referrals to incident response and infrastructure recovery contractors. Adoption of those recommended services will have a positive impact on the technical risk assessments Arceo reports to insurers.,” he says.
ERM trends to watch
Several trends in information security will have an impact on enterprise risk management, Convertino contends. “Cybersecurity involves preventing leakage or loss of data and systems due to hacking, as well as protective measures that encompass processes and supporting systems that prevent denial of service attacks ensuring data is available and has not been manipulated; those sorts of incidents are becoming more frequent. Cryptoviruses, such as ransomware, are an example of a denial of access to an organization’s information,” he explains. To combat these, CIOs and CISOs need to work closely, and organizations must improve their defenses and resilience, he advises.
“Most of us in information security believe attacks are inevitable. Given enough resources and time, every information system is accessible to a hacker,” Convertino says. “When the CIO and the CISO partner over enterprise risk management, security stops being viewed as only a cost center and becomes a way to dramatically lower the overall risk a company faces.”