The Needs of Tomorrow

            Cybersecurity consists of a collection of people, processes, and technologies working toward a secure state of information technologies that facilitate business operations and protect the data of these operations. This writing focuses on a company operating at a global scale in the finance and insurance industries managing billions of dollars in assets by an employee base of fewer than fifty personnel in the parent organization. I will refer to this company as Worst Insurance Group throughout this writing. How does Worst Insurance Group manage cybersecurity operations? What are the challenges Worst Insurance Group will face in the future in terms of securing information operations? These questions are examined in this blog with suggestions to address the challenges presented. 

The insurance industry is essentially risk management through transference by spreading risks (Liu, 2021). Significantly more work goes into the profession, such as writing policies, managing claims, or calculating risk (Nurse et al., 2020). As an organization that deals primarily with insurance and reinsurance, this business activity is not absent of risk to business technology operations from cyber threats. For example, the proliferation of ransomware cases occurring throughout 2020 and early 2021 demonstrates a need to protect business resources against data and system resource hijacking. The existence of Ransomware-as-a-Service capabilities via the dark web (Tor) suggests that ransomware is a successful criminal endeavor quickly becoming an epidemic (Meland et al., 2020).  

Deploying security technologies to detect, investigate, and respond to cybersecurity threats is a part of an overarching solution to mitigating risks in cyberspace. As threats increase, there is a need for additional detection capabilities to combat cybercrime, which is a primary cyber threat to the finance industry. Threat actors weaponized information about major events such as the global pandemic (Minaar, 2020). Threat actors employed pandemic-related themes via phishing schemes to target an information-starved remote workforce with malware, exploits, and ransomware (Minaar, 2020). A means of combatting such activities is through leveraging Cyber Threat Intelligence (CTI). CTI attempts to detect malicious activity early by preparing organizational stakeholders with a knowledge advantage over threat actors (Oosthoek & Doerr, 2021). Leveraging CTI to complement cyber threat defenses is a unique endeavor for a private industry that will be essential for staying informed of advanced threats and capabilities to formulate mitigation strategy and defensive capability. This capability is often manifested in a shared capacity among organizations with similar interests, where quality is evaluated from multiple stakeholder perspectives (Schlette et al., 2020). 

Worst Insurance Group has several subsidiary businesses that vary in specialization and revenue generation. Collectively, these businesses represent enormous financial assets under management while having very few employees per company. Each of these businesses undertakes separate initiatives around cybersecurity strategy and orchestration. Some of the activity is without thought to strategic cybersecurity objectives outside of preventing compromise. Even though each organization is a member of a parent organization, Worst Insurance Group provides no strategic cybersecurity guidance to defend their respective subsidiary environments. In response to guidance from the World Economic Forum, four financial firms, including Citigroup, Inc. and Kabbage, Inc., established a consortium to collaborate on cybersecurity defenses addressing an increasing modularization of the fintech industry (Clozel, 2018). What is unique in this activity is the collaboration of separate unrelated firms with similar interests, which suggests greater value than going alone. Taking this idea further, Worst Insurance Group would benefit from establishing strategic guidance for all subsidiary organizations in governance and risk management capabilities. A unified effort may establish greater confidence in focus and purpose for cybersecurity initiatives being pursued independently. The consortium must consider the unique risks each subsidiary organization faces and establish overarching foundational approaches for managing day-to-day cybersecurity operations of greater quality, best practice, and sound, measurable cybersecurity objectives. This influence may also carry over into other overarching improvement initiatives.  

With the current staffing at Worst Insurance Group, there is concern about available expertise to address the ever-expanding cybersecurity arena beyond an insurer’s perspective considering that of actuarial tables. With the isolation of each subsidiary organization, the staffing for each is capped at 2 information technology resources per company. These resources fulfill multiple roles for all things technology-related. This includes protecting their respective companies from cybersecurity threats. What should be noted is that the parent company's success is in part due to lean operational efficiency, which naturally influences the subsidiary businesses. However, this success does not equate to having the necessary information security analysis capability. Information security analysts plan and carry out cybersecurity activities to protect computer systems and networks, a specialty having a projected growth rate of 31% - the average job outlook being 4% - between 2021 and 2029 (Bureau of Labor Statistics, 2021). The current labor market shortage of qualified cybersecurity analysts offers little hope to Worst Insurance Group to retain the right people with the appropriate skillsets. As such, the organizations have few choices. Consider outsourcing security monitoring and incident response activities to a third party capable of filling the gaps across each subsidiary business comprehensively or collaboratively. Quality third-party managed security service providers provide security services at varying levels for extended periods. These providers often have specific cybersecurity skillsets across strategic, technical, or operational areas that can be leveraged as needed within each business at predetermined increments of maturity posture. In Worst Insurance Group, a managed security service provider may fulfill key organizational concerns (analytical quality, full monitoring, and skilled investigation) until the parent company can formulate a more permanent solution such as maturing in-house capabilities.  

Conclusion 

The cybersecurity landscape is an ever-evolving arena of constant change and flux requiring nimble defense capabilities. The finance industry faces serious security challenges such as ransomware and advanced threat actor targeting. Cybercrime is a significant threat that has impacted the cybersecurity profession in recent years. A unique approach to defending against cybercrime is applying cyber threat intelligence information to gain as much early warning about threat actor capabilities, intentions, and tactics as possible. Threat information helps steer cybersecurity defenses toward mitigation of trending security threats. As these threats emerge, having qualified response personnel is essential to preserving business information technology resources. When these resources are not readily available, leveraging third-party resources is a stop-gap strategy until a more permanent solution can be formulated and implemented. These are just some of the challenges Worst Insurance Group faces on the modern cybersecurity front. Leveraging the ideas discussed in this paper will help mitigate risks from these threats and advance security objectives.

References 

Bureau of Labor Statistics, U.S. Department of Labor. (2021, April 9). Occupational Outlook Handbook, Information Security Analysts. https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm. 

Clozel, L. (2018, March 7). Citigroup, Kabbage Form Consortium on Fintech Cybersecurity. Wall Street Journal - Online Edition, 1. 

Liu, M. (2021). Embracing Risk: Cyber Insurance as an Incentive Mechanism for Cybersecurity. Synthesis Lectures on Learning, Networks & Algorithms, 2(1), vii-127. https://doi.org/10.2200/S01093ED1V01Y202104LNA026 

Meland, P. H., Bayoumy, Y. F. F., & Sindre, G. (2020). The Ransomware-as-a-Service economy within the darknet. Computers & Security, 92. https://doi.org/10.1016/j.cose.2020.101762 

Minnaar, A. (2020). “Gone Phishing”: The Cynical and Opportunistic Exploitation of the Coronavirus Pandemic by Cybercriminals. Acta Criminologica: Southern African Journal of Criminology, 33(3), 28.  

Nurse, R. J., Axon, L., Erola, A., Agrafiotis, I., Goldsmith, M., & Creese, S. (2020, June). The data that drives cyber insurance: A study into the underwriting and claims processes. In 2020 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA) (pp. 1-8). IEEE. https://doi.org/10.1109/CyberSA49311.2020.9139703 

Oosthoek, K., & Doerr, C. (2021). Cyber Threat Intelligence: A Product Without a Process? International Journal of Intelligence & Counterintelligence, 34(2), 300–315. https://doi.org/10.1080/08850607.2020.1780062 

Schlette, D., Böhm, F., Caselli, M., & Pernul, G. (2021). Measuring and visualizing cyber threat intelligence quality. International Journal of Information Security, 20(1), 21–38. https://doi.org/10.1007/s10207-020-00490-y