Editor’s note: This is the ninth in a series of interviews with the session leaders of the upcoming GSO 2025 event being held Nov. 2-3, 2022 in Dallas, Texas. The event is named with a future date because it takes a 3- to 5-year look ahead at where security leadership and security technology are going.
Managing Editor John Dobberstein recently sat down with Grace Crickette, vice chancellor of finance and administration, University of Wisconsin-Eau Claire; and former chief risk officer – University of California, to discuss why it’s important for CSOs and regional/global security managers and directors to understand the Enterprise Risk Management role as related to cyber risk insurance and any business risk insurance. The GSO event is quickly approaching. To find out more and register go here.
SIW: Recently the U.S. Federal Cybersecurity & Infrastructure Security Agency (CISA) of the Department of Homeland Security began recommending that cybersecurity insurance firms encourage the implementation of best practices by basing premiums on an insured’s level of self-protection. This applies not just to information systems and IT infrastructure deployments, but to IoT deployments as well, including electronic physical security systems.
Crickette: As insurance carriers begin setting their coverage and rates based on their clients’ security profiles, any manager or executive with responsibility for networked IT, OT and IoT systems must have – or be part of – an information technology risk management program that addresses the full spectrum of cyber liability risk. That includes physical security for IT, OT and IoT systems as well as cybersecurity.
For corporate/physical security practitioners, now it the time to start preparing for that eventuality. Who are the senior risk managers, and what information will they need from you to help determine the amount of risk they are willing to accept, and what parts of it they would like to insure? Summary data from the corporate/physical risk information will be combined with summary data from IT, OT and other IoT risk data to help senior company risk managers and executives build a complete risk picture as relates to potential insurance coverage. This kind of data is important to determine what insurance coverage limits should be sought.
SIW: In this day and age isn’t most data electronic?
Crickette: Yes, but not all. For example, research areas typically contain highly-confidential hand-written or printed test planning and test results, logs of measurements taken, printouts from analysis machines, and so on. There are key questions. Do we need to further harden the building because of what’s going on inside it? Do we have enough security layers in place? Are there any single points of failure? Do locations containing critical information have sufficient video coverage to document the handling of physical forms of data? What are the data lifecycles and how is secure data destruction carried out? Are there signed logs for multiple witnesses to the effectiveness of data destruction? Have the physical data locations and the data lifecycle processes been audited? What are the business consequences of potential data protection failures, and to what extent can they be covered by insurance?
SIW: In general, what is the biggest mistake CISOs and security managers make when looking to buy cybersecurity insurance?
Crickette: Partner with your Chief Risk Officer and other experts not just during the insurance buying process, but throughout the year with evaluation of the risk. Put in place a Enterprise Security Risk Management program that will help you and the CRO keep a pulse on the exposure/risk and allow you to be prepared to present your organization in the best light to the insurance underwriters and obtain the broadest coverage at the optimum price for your organization. This will also make you better prepared for Board meetings and reporting on IT, OT and IoT risk in the language of management.
SIW: Given the pervasiveness of breaches and hacking, would you say it’s not “if” a company will be breached but “when?”
Crickette: Yes, but the most common loss is data/system compromise that may not arise from a breach or a hack, rather data exposure or data loss. Most hackers don’t “hack” in, they log in using borrowed or stolen credentials, gain access to networks, and escalate their privileges exploiting multiple vulnerabilities along their attack path. Regarding physical security systems, there is a significant insider threat risk due to the number of passwords typically set up for each system (and each camera, which is a computer with a web server running on it) that are created and used by personnel of third-party companies. Although modern tools exist to manage camera passwords, firmware and digital certificates at scale, most large enterprises don’t use them – typically out of a false sense of economy. The losses from this kind of access to corporate systems can also easily exceed $1 million in claims.
SIW: What do you hope to achieve for the GSO 2025 attendees in your Day 1 session titled, Value-Based Risk Management?
Crickette: Help those in attendance to have a broader view of risk and walk away with some tools and ideas on how to improve the management of risk for the organizations that they serve.
SIW: Well Grace, it was a pleasure to talk with you today. Best of luck and we look forward to hearing more from you at GSO 2025 this November.
Crickette: Thank you John, I am looking forward to the great discussions we will have at the upcoming GSO 2025 Conference.
To find out more and register for the GSO Event go here.
