Attorney John Mullen offers some advice for security managers looking to understand transfer of responsibility and how that concept applies to cyber insurance.
1. Leave your ego aside. Companies need to understand that an insurance company won't grant you a cyber insurance policy unless an outside third-party has done a full assessment of your risk profile. So accept that your organization needs help and hire a consulting firm that can do a deep dive on your security posture and help you implement the tools to manage security in an ongoing fashion.
2. Get everyone involved. Security can't just be an IT or security department function. Everyone in the company, from the top people in the executive suite and the corporate board to department heads and rank and file employees have to take ownership of security. So this includes consistent reporting and an open dialogue with top management to companywide training on threats such as phishing and ransomware.
3. Seek out cyber insurance. Many CISOs have resisted cyber insurance because it's not always clear that the cost versus the payout following a breach is worth it, plus organizations are not always willing to share sensitive internal information with an insurance company. Get over it. A major breach can put you out of business and just like if there's a fire or flood, you need insurance in the event of a data breach. Not to do so puts your business at risk.