In the simplest of terms, there are two sides to every information security program: protection and response. A successful cybersecurity program requires both. However, on both sides of the coin, organizations must deal with five realities:
- There are things they have under control and completely operationalized.
- There are things they can handle, but it's a pain to keep on top of them.
- There are things they have to work hard at but can still manage; somehow, barely.
- There are things they don't know how to deal with; investments in process, technology or personnel will not make a material difference.
- Their program is defined and managed by humans -- and humans make mistakes.
Our CEO, Jonathan Niednagel, contributed to this article by noting first that cybersecurity insurance doesn't replace security best practices; rather it is a critical component that fills in the gaps of a solid, well thought out security program. "Any security professional will tell you that you can never be 100% protected against an attack," said Niednagel. "If this were true, then best practices and due diligence should get you 95% of the way there, and cyberinsurance should cover the remaining 5% exposure."