Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Jeremiah Grossman Profile picture
@jeremiahg
Feb 9 10 tweets 2 min read Read on X
Here’s a simple framework for predicting where the InfoSec market is heading using cyber-insurance:

1/ Cyber-insurance is becoming increasingly mandatory for businesses, protecting them and third parties from financial losses.

If this trend continues, what happens next? 🧵👇
2/ To manage risk, cyber-insurers become increasingly prescriptive—requiring specific security controls before extending coverage. Policies will be tied to security controls that demonstrably reduce financial loss.
3/ As a result, companies will prioritize buying and implementing what their cyber insurer requires—not just what sounds good in theory (ie. ‘best practice’).

As such, security spending will increasingly align with insurability.
The key question: Which security products and services will insurers require or reward with lower premiums? And which will they ignore?
5/ If a security control isn’t required for coverage—or doesn’t lower premiums—it means insurers either (1) don’t see a measurable reduction in risk or (2) don’t yet have enough data to assess its impact.
Measuring product efficacy in terms of financial loss is extremely hard. This is why today, very few security controls are explicitly required for coverage or result in premium reductions. InfoSec still lacks high-confidence data linking controls to outcomes — BUT some do exist!
7/ As cyber loss claims grow, breach patterns emerge, and insurers gain better IT telemetry from clients, we’ll see a stronger correlation between specific security controls and financial loss outcomes.
8/ For now, here is useful market signal: If a security vendor offers a warranty, chances are an insurance carrier is underwriting their risk. That means the insurer has confidence that claims will be limited—a strong indicator of product efficacy.
9/ In short, cyber insurance will increasingly dictate security budgets and priorities. Insurers will reward proven risk reduction, and the industry will evolve based on what actually works—not just what’s marketed well.
If you're building in InfoSec, watch closely what the cyber-insurance carriers say and do. Doing so provides signal for 'hot' new markets and which will languish or need to be disrupted.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Jeremiah Grossman

Jeremiah Grossman Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jeremiahg

Jeremiah Grossman Profile picture
Nov 19, 2021
Over the last several years, tons of insurance carriers rushed into the cyber market to take advantage of corp demand. The market grew incredibly fast (still is!). Many carriers signed up clients with bad risk profiles and are now suffering the financial consequences of breaches.
Consequently from all the ransomware, etc… we should expect many cyber-insurance carriers to exit the market over the next couple years. Some carriers fared way better than others. It’s basically a shake out beteen those able to identify good risk vs bad.
And when this happens, the the market for cyber insurance policies will become just that much more demanding in terms of what security controls a company must have in order to get liability coverage, or coverage at the level they need.

This is how the floor is raised.
Read 4 tweets
Jeremiah Grossman Profile picture
Nov 18, 2021
When I first started training Brazilian Jiu-Jitsu, I'd get tapped 20 times a class. While it was still fun, let me tell you being tapped repeatedly every night for months sucked. I’m not going to lie, it was incredibly discouraging and I contemplated giving up many times. /1
I discussed this with my instructor, who gave me one of the greatest BJJ and life tips. He said instead of thinking of BJJ as getting a tap or being tapped, track progress by how many fewer times you get tapped each night, and the how long you survive between taps. So, I did. /2
Sure enough, 20 taps a night became 15, and then 10, then 5… and after a long while, I’d only tap once or twice. Eventually a few nights a week I wouldn’t get tapped at all! Just being able to survive, especially against a bigger and better opponent, is a tremendous win. /3
Read 8 tweets
Jeremiah Grossman Profile picture
Aug 11, 2021
Right now we’re at the birth, or very very early stages, of an industry called “Attack Surface Management. (ASM)” I know what this feels like and looks like having also been present at the birth of the“Application Security” industry. /1
How the ASM market will evolve over time will be a fascinating experience as it’ll have an enormous impact on essentially every adjacent market of the Information Security industry — and the overall security posture of the Internet. Here’s how I think things will play out… /2
As things are today, very few organizations of any size know their attack surface. Said another way, organizations have limited visibility of their Internet-connected assets, what they do, what they’re running, who is responsible for them, what they’re worth, etc. /3
Read 11 tweets
Jeremiah Grossman Profile picture
May 12, 2021
I remember when @BillGates published Trustworthy Computing Memo in 2002, changing Microsoft’s course. As the @WhiteHouse just posted "Executive Order on Improving the Nation’s Cybersecurity”, it feels like a similar moment and being taken seriously.

whitehouse.gov/briefing-room/…
@BillGates @WhiteHouse There’s A LOT in there, which are hard to say are bad idea...

Remove barriers to threat intel sharing, mandatory breach reporting, develop standard DFIR playbook, use Zero Trust, use The-Cloud, do MFA, do EDR, do data encryption at-rest and in-transit...
@BillGates @WhiteHouse … require sotware security testing, establish a Cybersecurity Safety Review Board, and experiment with consumer product labeling.

Security vendors in certain market segments are going to win ENORMOUS contracts. But will any of this result in fewer and less impactful breaches?
Read 9 tweets
Jeremiah Grossman Profile picture
May 12, 2021
“Today’s" ransomware tools were built using the profits from “yesterdays" attacks. Consider how much how in BTC ransomware groups received in 2015-2020. This period BTC went from a couple thousand to tens of thousands. They made billions, and likely sitting on billions more.
Ransomware group have crazy R&D budget access and as BTC rises in value, it gets just that much more powerful. For the forseeable future, we’ll be fighting against some of the most powerful cyber-criminal tooling we’ve ever seen.
2013 example: "CryptoLocker, in an attempt to gauge the operators' takings. The four addresses showed movement of 41,928 BTC between 15 October and 18 December, about US$27M at that time.”
en.wikipedia.org/wiki/CryptoLoc…

Today’s value: ~$2.3 BILLION
Read 6 tweets
Jeremiah Grossman Profile picture
Apr 19, 2021
In 1999, Microsoft was ruled a monopoly. In 2002, Bill Gates announced the Trustworthy Computing Initiative. Over the next decade they made great improvements in software security. No one disputes this...
However, nearly 20 years since TWI a large number of 0-days are floating around and hundreds of thousands of companies are getting hacked. Millions of people too. And of course, this isn’t just restricted to Microsoft — other companies are decades behind.
Bottom line. Software security problems and breaches, whether caused by 0-days or anything else, aren’t going away anytime soon. More software is going in every day, other software is being EOL’ed without being removed.
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(