Risk management - Cyber Security Sanity

The unfortunate thing is that how Berkshire Hathaway decides it wants to handle the issue of cyber risk ends up impacting far more than Berkshire Hathaway. Buffet is so admired and Berkshire Hathaway such a giant player in risk and insurance, that his words impact everyone’s security.

Warren Buffet may be old, but he continues to be held in the highest of esteem by investors. He certainly has a great track record. Buffet is also admired because of his openness and candid discussion of his methods and stock picks. He’s always sworn by a long term investing strategy, which values not only growth but stability. His disciplined approach has been the key to great success.

For this reason, when he speaks, the investing and business world listen. He’s been called the Oracle Of Ohama. When his Berkshire Hathaway group holds its annual shareholders meeting, some investing companies take the day off and gather to watch the whole thing with the enthusiasm and fanfare of the Superbowl.

When Warren Buffet speaks, the financial world listens. The insurance world also listens, because Berkshire Hathaway has become one of the biggest players in insurance. The group recently purchased a large portion of Chubb, one of the largest providers of cyber risk coverage.

This is a problem, because when someone so influential speaks about something so important, they had better be correct, and in this case, he is dead wrong. I do not mean to criticize Mr. Buffet personally, of course, but it’s important to bring attention to this. As an expert in this area, I find his comments to be absolutely terrifying.

The reason it’s so terrifying is the impact that these comments, and others like it, from other business leaders, has caused to national security and the global economy. Insurance vital to how a capitalist economy self regulates and how risk is properly priced. Insurance is the bedrock of how risks are treated in the economy.

The unfortunate thing is that this very ignorance is at the root of the stagnation of cyber defenses, the layoffs of so many in the sector, the divestment of resources and the acceptance of such dire levels of loss. It’s terrible to think that anyone so followed could be actively telling people that cyber security is a mystery nobody has figured out. If that were the case, it would be pointless to spend on it and hire experts.

Shortly after this meeting, a large number of cyber security professionals were laid off.

Continue reading →

From a technical standpoint, in terms of why bad things happen in IT systems, it’s pretty straight forward: We don’t do a good job of controlling access to accounts and we do not monitor accounts for problems. That’s 90% of the problem. It’s account access control. The reason for this is passwords do not work and efforts to standardize and mandate better access control have been poorly supported.

While cyber security may seem very complicated, this is really just because it is so unfamiliar and has been wrapped in mystery. It is no more complex or perplexing than any other type of security, but it is a relatively small specialty and so there are really only a small number of subject matter experts who have any kind of clear-headed thinking on this one.

For the most part, the problem we have in cyber security is access control. Specifically, we do not have great authentication of remote access control. That’s it. That’s the problem. In most circumstances, most than 90%, in fact, it comes down to not being able to authenticate that a connection is legitimately who it says it is. So, for example, the CEO’s email is being read by a foreign hacker, who stole the CEO’s password.

That might sound like it would not be an insurmountable challenge. I mean, after all, how hard is it to make sure the CEO is who he says he is and not a foreign agent? Surely, we could track the geolocation or the context or use his approved hardware. And you would be correct, it is not insurmountable. In fact, we can close all the holes in access control if we decide to.

Continue reading →

Category Archives: Risk management

Warren Buffet Is Dangerously Wrong About Cyber Risk

Understanding the Core Problem in Cyber Security