Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
View Regular
Jeremiah Grossman Profile picture
Jeremiah Grossman
@jeremiahg
Cybersecurity Pro. CEO, Root Evidence (@rootevidence) Founded WhiteHat Security, Bit Discovery. Venture Capitalist (https://t.co/Eln33VFWwf). BJJ Black Belt.

Feb 9, 2025, 10 tweets

Here’s a simple framework for predicting where the InfoSec market is heading using cyber-insurance:

1/ Cyber-insurance is becoming increasingly mandatory for businesses, protecting them and third parties from financial losses.

If this trend continues, what happens next? 🧵👇

2/ To manage risk, cyber-insurers become increasingly prescriptive—requiring specific security controls before extending coverage. Policies will be tied to security controls that demonstrably reduce financial loss.

3/ As a result, companies will prioritize buying and implementing what their cyber insurer requires—not just what sounds good in theory (ie. ‘best practice’).

As such, security spending will increasingly align with insurability.

The key question: Which security products and services will insurers require or reward with lower premiums? And which will they ignore?

5/ If a security control isn’t required for coverage—or doesn’t lower premiums—it means insurers either (1) don’t see a measurable reduction in risk or (2) don’t yet have enough data to assess its impact.

Measuring product efficacy in terms of financial loss is extremely hard. This is why today, very few security controls are explicitly required for coverage or result in premium reductions. InfoSec still lacks high-confidence data linking controls to outcomes — BUT some do exist!

7/ As cyber loss claims grow, breach patterns emerge, and insurers gain better IT telemetry from clients, we’ll see a stronger correlation between specific security controls and financial loss outcomes.

8/ For now, here is useful market signal: If a security vendor offers a warranty, chances are an insurance carrier is underwriting their risk. That means the insurer has confidence that claims will be limited—a strong indicator of product efficacy.

9/ In short, cyber insurance will increasingly dictate security budgets and priorities. Insurers will reward proven risk reduction, and the industry will evolve based on what actually works—not just what’s marketed well.

If you're building in InfoSec, watch closely what the cyber-insurance carriers say and do. Doing so provides signal for 'hot' new markets and which will languish or need to be disrupted.

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling