The Power of Proactive Protection in Cyber Risk Management and Beyond with Jim Goldman and Ryan Dunn

Jara Rowe: Gather around as we spill the tea on cybersecurity. We are talking about the topic in a way that everyone can understand. I'm your host, Jara Rowe, giving you just what you need. This is The Tea on Cybersecurity, a podcast from Trava. If there is one thing I've taken away by hosting The Tea on Cybersecurity, it's that it's essential to have a solid cyber- risk management strategy in place from day one. It's better to be prepared than unprepared when it comes to all of your cybersecurity needs, and that is exactly what we'll be talking about during this episode. On this episode of The Tea on Cybersecurity, we'll be talking about the differences between proactive versus reactive strategies and even how they relate to cyber insurance. I have two recognizable voices joining me during this episode: Jim Goldman and Ryan Dunn. Hello, gentlemen.

Ryan Dunn: inaudible.

Jim Goldman: Hi, Jara. How are you?

Ryan Dunn: Hold the applause, everybody, please.

Jara Rowe: Hold the applause. I'm doing great. I'm so excited to talk to you guys about this. I actually feel like now that I've learned so much, I know the difference between being proactive and reactive and which one's better, but I'm still excited to learn more from you guys today, so going to get right into this. Jim, I have the first set of questions going to you. For the listeners that may not be familiar with this, can you talk about what a proactive cybersecurity strategy is and what a reactive one is?

Jim Goldman: The first thing you have to do is be aware of what we call your system boundaries are. Now, I say something like that and people might say, " Oh, Jim's getting overly technical again," and I'll tell you what just occurred to me is, what if you are a rancher and you had cattle that you were trying to protect? What's the first thing you're going to do? Well, you're probably going to put up some kind of fence around the boundaries of that ranch. How do you do that? Well, if you don't know where the boundaries are, you can't very effectively put up a fence, and that's exactly what we're talking about. You need to understand the boundaries of the system that you're trying to protect, because within that system, instead of having cattle, you have data. It may be a customer's data, and so first and foremost, what's the rancher have? The rancher has a plot, a survey, that says exactly where their boundaries are. It's a system diagram. That's what we need. We need a system diagram. We need a plot. We need a diagram that shows system boundaries of our information system rather than our ranch. That's really where it starts, unless you know where your boundaries are. Again, keeping with the same analogy, unless you know where the gates are, where you purposefully let cattle go in and out. In our case, where are the gates where you let third parties, whether they're customers or vendors or service partners, where are you letting them come into those gates in your fence? Same thing. That's proactive.

Jara Rowe: I love that analogy. Your analogies are always so helpful.

Ryan Dunn: They're always spot on.

Jara Rowe: They really are. Jim, next thing for you. How does a proactive approach to cybersecurity help organizations identify and mitigate potential threats?

Jim Goldman: It's a really good question, and again, a spot where people get hung up. Now, picture that we've got that system diagram in place. We've got the vectors where our different service providers come in. Now, those are authorized people that are getting in, but where are the weak spots in the fence? Going back to the analogy, where could cattle rustlers get into your periphery fence and steal your cattle? In this case, it's where could cyber criminals break through your boundaries that you've set up, whether it's technical boundaries, logical boundaries, et cetera? Protections: where could they get through your protections? Where are the potential holes? There's going to be a limited number of what are called ingress points, where third parties can get in, and egress points, where data could potentially go out. It's just like protecting a venue like a large concert venue or a convention center. There's only so many doors, and so that's where you put your security. It's the same thing in this case with your information system. There are only so many doors, so that's where you have to put your security.

Jara Rowe: Ryan, why do you think so many people typically lean towards being reactive? It just seems like a natural response. Why is that?

Ryan Dunn: I'd like to touch on what Jim was saying, how it relates to insurance, and then I'll get into why agents tend to fall into a reactive stance, but it's similar on the being proactive side for insurance. Jim's alluding to knowing where your boundaries are. And being a proactive agent, you are understanding the vectors that are going to influence your client's insurance renewal. So for example, when you go out to get cyber insurance, a lot of these MGAs and carriers are analyzing your clients using a vulnerability- management scanning tool. If you're not equipped with that, it's tough for you to be able to understand what is going on with your client's cybersecurity infrastructure, be able to address that ahead of time. Understanding where your client sits in their renewal is extremely important, and that takes a proactive stance in order to accomplish that.

Jim Goldman: The phrase that comes to mind when you say that, Ryan, is you're flying blind. What do pilots do when they can't have visual? Good pilots, commercial pilots, do they need to be able to see with their eyes? No. Why? Because they've got instrumentation, and so it's the same thing. What do cyber- insurance agents have for instrumentation so they're not flying blind?

Ryan Dunn: Exactly. Right now, it's just please, don't get referred to the underwriter, because then I'm going to have to go back to the client and I'm going to have to pretend like I know what this open port is. Frankly, I don't know if I have a nice answer as to why agents tend to be reactive. I think it's only just human nature, but we tend to just sit on our laurels and just think about cyber as if it were GL or property insurance or workers' comp insurance. We're just going out there and we're getting a quote, and for a general liability policy, there's not much preparation for a general business. There's not much preparation that needs to be done. You're just collecting info on the application and submitting it for insurances. I think it just falls into human- nature coordinates where we're just resting on our laurels, resting on what we're used to doing instead of trying to think outside the box: " Okay, wait, how can I avoid this situation?" or, " How can I improve this for my client?", we're going to hear a lot, that is going to take proactive thought and creative thought in order to accomplish that.

Jara Rowe: I would much rather be prepared than wait for something to happen. Freaks me out.

Ryan Dunn: I don't sleep.

Jara Rowe: It causes anxiety. Yeah.

Ryan Dunn: I don't sleep. My mind will run in 20 different directions.

Jara Rowe: Exactly. If you guys could give a tip for someone about third- party checking to make sure everything is good, what would that one tip be?

Jim Goldman: What we tell all our customers is it doesn't have to be that complicated or expensive. In other words, you could just have a spreadsheet. So the first thing, again, is inventory. Do you even know who all your service providers and third- party providers are that you're giving access into your system? And usually it's very simple. On a simple spreadsheet, they fall into two buckets: those that have access to your customer's data and those that do not. Those that do not, you have one set of security questions for them, one set of security requirements. Those that do have access to your customer's data or your intellectual property G, now we need to do a little bit more scrutiny, and so what do you do in that case? You ask them, " Do you have a compliance certification? Are you SOC 2 certified? Are you ISO certified? Okay, I'd like to see your report or your certificate." They should be very happy to provide that. If they don't have some third- party attestation as to the veracity of their security program, then you have not just a right, but you have an obligation to send them a security questionnaire, where you ask them some fairly detailed questions about what they are doing and what they're not doing.

Ryan Dunn: I actually went to a doctor's office recently that I had visited frequently, and they lost all of their customer's data. It was very interesting to go through that experience, because I'm like, " How did you lose it and where did it go?" And that's inaudible.

Jim Goldman: And they said, "I don't know."

Ryan Dunn: "I don't know." They said, " I don't know."

Jara Rowe: That's so terrifying.

Ryan Dunn: That's a really good... From what Jim's saying, do they have your customer's data or do they not?

Jara Rowe: Wow. I hope that never happens to anyone else. That's terrifying. Next question. I know that you two are passionate about how technology can help all of this. What role can technology play in supporting a proactive cybersecurity strategy for both agents and their clients?

Ryan Dunn: There's a few different areas to address here from a technology standpoint. I think the clear and obvious one is a vulnerability- management tool. Stop flying blind with no instrumentation.

Jim Goldman: You can't fix what you don't know about.

Ryan Dunn: Let's start there. I think that's the obvious first choice. The second piece of technology that can help agents and their clients, and it's not really something that is really out there in the market yet, and that is real risk- quantification benchmarking. What I mean by real is what we see is benchmarking based off of purchasing behavior, and this purchasing behavior goes, " Hey, what are my people and my peers in my industry buying in cyber insurance?" And benchmarking says a million, so they go a million, but they're a$ 50 million in revenue hospital, so that doesn't make any sense. What does that tell us? The data sets that we're feeding into benchmarking are incorrect. We need to start having an honest conversation about how that technology can be deployed, but in my mind, it needs to be some type of risk quantification based off of your risk score within your industry and finding a way of correlating premium to that. That would give us a good reading of, " Okay, what are my peers buying that are investing in security like me?" That's the real question, not what are everybody else buying, because your security isn't like Company B's security, and that's another piece of technology that I think could deliver a ton of value to clients that really isn't out there in the market right now.

Jim Goldman: I agree a hundred percent, and that's really where we're trying to head. I often use analogy of the credit score and the credit industry. That's risk. If people have a low credit score, then the banks are going to be less likely to give them a loan, opposed to if they have a high credit score. Well, it's no different in the cyber- risk realm. We're trying to standardize on something we call the travel risk score. In this case, we'll say high is good. Just to be clear, the higher your travel risk score, the less risk you have; the higher level of comfort and insurance carrier or an insurance agent would have to write a policy with higher limits, lower premiums, et cetera. It's the same type of situation. Same construct, same model that's being done. We need to do the same thing in cyber risk that we've been doing in credit for years. Now, what's interesting is Ryan mentioned vulnerability management, and that certainly is first and foremost, but in some sense, going back to the cattle- ranch metaphor, all vulnerability management is doing is telling you where the holes in your fence are so you can go out and fix them. The question is, what can you do so you stop having so many holes in your fence? All right? That's where we get into the other type of more proactive, because think about it. Just by identifying vulnerabilities and fixing them, identifying, fix, identifying, fix. That's reactive. We're not proactive yet. Is it improvement? Yes. Should you do it? A hundred percent. Absolutely. But it's still reactive. Sometimes people call it whack- a- mole. I'm never going to gain. I'm never going to get ahead of it. Well, it's the other security processes and sometimes associated technology that gets you ahead of it. Patching management, multifactor authentication, security awareness and training, backup and recovery, encryption at rest and in transit, intrusion detection and recovery: these are the types of systems that companies eventually put in. Do they still need vulnerability? A hundred percent. However, what's going to happen over time? Their list of critical vulnerabilities that need to be fixed is going to start to reduce. We're going to start having fewer holes in our fence that we need to go out and fix.

Jara Rowe: Yeah. We don't want to keep fixing the holes.

Jim Goldman: We don't want to keep fixing the holes in the fence. That's right.

Ryan Dunn: Yes. There starts to become fatigue there.

Jim Goldman: Yeah, exactly.

Jara Rowe: You guys are providing me with such great gems of knowledge. So can you share best practices for organizations looking to adopt a proactive cybersecurity stance?

Jim Goldman: What I would say, as I started, the first thing I said on the podcast was understand your system boundaries. Not everybody's equipped to do that. Again, I don't mean to make it a shameless plug, but hire someone like Trava or an equally qualified organization to help you with what we call the baseline cyber- risk assessment. This is not something that everybody should do for themselves, but you need that initial assessment, and that's why we purposely call it baseline. It's here's your starting point. There's no judgment. You're not bad if you get a low score or something like that. It's just everybody has to start somewhere. The reason it's important to do that and make that small investment in that baseline cyber- risk assessment is the other analogy that they often use is you're going to become a victim. If they had a shopping channel for cyber tools, you'd be stuck watching the cyber- shopping channel, and you say, " Oh, I need one of those. Oh, I'll get one of those too. I'll get one of those too." Guess what? That's not a solution. I often use the analogy of if your check- engine light goes on in your car, you pull into the nearest auto- parts store, you're not going to grab a shopping cart and just start pulling random auto parts off the shelf. You don't know what's wrong. Same thing with cyber. If you don't know what's wrong, if you don't know where your biggest weaknesses are, why would you pay a dime on any solution?

Ryan Dunn: Yeah. You start to become a cybersecurity hoarder.

Jim Goldman: You hoard-

Ryan Dunn: Oh, I got this EDR somewhere in here.

Jim Goldman: Yeah, you hoard tools that don't work.

Jara Rowe: Now that we've spilled the tea on being proactive versus reactive, it's time to go over the receipts. I think one of the overarching things that I took away from the conversation with Ryan and Jim is that you don't want to fly blind when it comes to your cybersecurity. You need to understand where your vulnerabilities are in your company to make sure that you have things in place to make sure no one actually comes in. And another thing: in order to be proactive, you have to understand your boundaries, specifically your system boundaries, and Jim did a great job at relating this to protecting a ranch. You want to make sure you have your defenses up in the places that are necessary. A third receipt that I have is about third- party risks. As businesses, we all work with outside companies and things like that, and it's essential to understand what their vulnerabilities are. One of the tips that Jim gave for this is super simple that anyone could do, just to create a spreadsheet that lists all of your vendors, and you have columns so you can see which vendors have access to your employee data and which do not. That is just a very simple way to start being able to check your third- party risks, because once you partner with these companies, you also take on their risks as well, so it's just important to know where they are so you'll be able to decide if that's the right vendor for you or not. From a technical standpoint, specifically for insurance professionals, Ryan talked about some tools that you can use that will help with insuring your clients, and most importantly, the renewal process. So Ryan talked about vulnerability management tools as well as a real risk- quantification benchmarking. A lot of the times now in the insurance world, specifically with cyber, end up comparing yourself to another company that is really like apples to oranges. It's not exactly the same, and so Ryan talked about real risk- quantification, benchmarking will help understand to be able to make sure that everyone is insured the way that they should be for their industry and for companies. Jim talked about the different technical things that you should have in place, number one being MFA or a multifactor authentication, which we talk about a lot on The Tea on Cybersecurity. He also mentioned security awareness and training, which we have an upcoming episode about that here soon, encryption at rest and in transit, backup and recovery, as well as intrusion detection and recovery. Again, it's way better for all of us to be more proactive than reactive. Let's figure out how to stay safe earlier on. I hope you gained as much information as I did from this episode, and that wraps another episode of The Tea on Cybersecurity. Bye. And that's The Tea on Cybersecurity. If you like what you listened to, please leave a review. If you need anything else from me, head on over to Trava Security. Follow wherever you get your podcasts.