Featured image of post Afterhour rants: Cybersecurity as insurance
Posts

Afterhour rants: Cybersecurity as insurance

Nobody wants to buy insurance

Do you drive? How many cars have you sent to the scrapyard because of a crash? I’m willing to bet you’ve never crashed a car. And if you have, well you’re still here to talk about it, so it probably wasn’t too serious.

You’re probably a reasonably careful driver. Chances are you don’t need car insurance. Imagine the money you’d save by skipping on car insurance! And if you ever have a problem, well, you’ll have enough saved to figure it out.

Unfortunately though, most countries require car insurance by law. So which car insurance would I get? The cheapest one.

Cybersecurity is the insurance

Obviously, the previous paragraphs are tongue in cheek. But if you work in cybersecurity for an organisation, I have news for you. You’re the insurance.

Of course, the cybersecurity function is not there to hand out money in case a system is compromised. It is there to avoid that system being compromised. From the organisation’s perspective, the end result is the same: money saved.

And just like with car insurance, organisations prefer their cybersecurity functions to be cheap. A “cheap” cybersecurity function has few people (less than 1% of total headcount for software orgs), spends little money (less than 2% of income for software orgs) and generally gets out of the way of the actual money-making.

And just like with car insurance, cybersecurity is more or less mandated by external regulators and stakholders. If an organsation doesn’t have to get a security team, it won’t get a security team. The comparison is not watertight however: insurers can simply refuse to insure a given asset, forcing the asset owners to do things differently. Whereas security teams usually have little to no authority to require big changes on any system.

So what do we do about it?

Accept your fate, and do your best to find a reasonable organisation to work for. Otherwise, you’re setting yourself for a lifetime of disappointment.

Here are 10 questions you can ask yourself to gauge whether your org is reasonable or not.

  • Has a C-Suite executive questioned the value of the security team’s projects in the last 3 months?
  • Has the CEO criticised the security team for not bringing in enough customers?
  • Has the CEO told the security compliance specialists that their jobs are “useless bullshit”?
  • Has the CTO asked about the possibility of removing the EDR agent from employees’ workstations to reduce CPU & RAM usage?
  • Has the CTO suggested moving from an enterprise grade IDP to a self-hosted OpenLDAP server to reduce costs?
  • Has the CTO criticised the security team for not putting in enough pull requests on the company’s main software products?
  • Has the CTO suggested replacing the company’s SIEM with “a cronjob that runs grep commands”?
  • Has the CTO suggested replacing the MDM with a “cronjob that calls some scripts”?
  • Has the CFO suggested merging security with IT support because “both are support functions”?
  • Have engineers suggested having the security team fix vulnerabilities in their systems?

If I include all the companies I’ve worked for over my entire career, I can answer “Yes” to every single one of the questions above.

Does that mean I only worked for unreasonable companies? No of course not. I worked for many different organisations, they can’t all be that bad. I was being unreasonable by expecting for-profit companies to put thought and effort into their “insurance”.

So now, I embrace the housekeeping. I enjoy being the policeman without any authority. And I try to have fun while I’m at it.

© 2019 - 2025 The Secure Engineer