Alexander Bochmann

@superruserr On the up side, insurance companies don't want to cover unreasonable risks, so they'll require some sort of security baseline in the fine print. (Which probably won't divert much from the kind of things that financial auditors want to see in place nowadays.)

@galaxis That's a good point re: security baseline.

And the show was more or less targeting small to medium sized businesses.

@superruserr Yeah, I was thinking about that too, but don't have an answer. Some of our customers are in the 50 to 100 employees range - those usually have maybe two people of IT staff, and no one tasked with IT security. As an outsourcing partner, we can provide the basics - perimeter security, AV, content gateways - but it's difficult to even talk about more complex topics, never mind security management processes.

@superruserr ...and that's just old-style companies who run most of their services inside their own networks.
Having everything distributed over various SaaS platforms provides some security (as included with the SaaS offering), but also has a completely different risk profile.

@galaxis I agree with this, and something I have not thought of before. Also some interesting discussions in which your reply reminded me of -

@superruserr I'd seen the initial post of that thread but missed the reply of the AWS guy.
It's hard to argue against the "putting things on cloud services gives everyone access to the best defense" stance in general, because it's mostly true.
But when you export a bad security posture "to the cloud" (like maybe account sharing, or refusing to use 2FA), things are suddenly a lot worse now compared to when that was something that's hidden behind even the most laughable perimeter defenses.

@superruserr My other gripe is that everything "threat intelligence" potentially puts your users' privacy on the line - and I've seen little info on how threat intelligence data is being shared around.

I work in inforsec for a rather large company and the insurance companies only care that you check boxes and dont really care about how much secuirty you actually have.

@catdad @superruserr No one really cares how much security you actually have. It's probably possible to get ISO27k1 certified on paper defenses alone.
The insurance company though will be very happy to deny your claim when there's an incident and it turns out you provided them with false information upfront.

Oh its not false claims, we've and by we I mean the company has paid 10s of millions of dollars for "security in depth" that effectively does jackshit

Sign in to participate in the conversation
INFRa Mastodon

This Mastodon instance is not open for public registration. Site administrator is Alexander Bochmann.

Contact email: