Microsoft Alone Will Decide Which Cybersecurity Products Are Best

At first, I thought this was a joke. But no. It is for real.

Gigantic insurance broker, Marsh (of March & McLennan) just announced a service that they will host designed in their words to recommend the cybersecurity products that are “the most effective” and do for businesses of all kinds, what the insurance industry has done for auto and building safety products.

The leading insurance broking and risk management company, a division of $8 Billion parent Marsh & McLennan, and home to 65,000 employees has partnered with Microsoft and Microsoft alone to create a program called Cyber Catalyst, which will invite leading cyber insurers to evaluate cybersecurity products that the two of them (Marsh & Microsoft) consider effective in reducing cyber risk, which will supposedly provide corporate guidance in navigating the 3,000+ vendors in the cybersecurity marketplace.

“This is a proven model for the insurance industry,” said Thomas Reagan, Cyber Practice Leader for Marsh, describing it as “applying knowledge and experience about the economic consequences of risk” to support better decision making and behaviors. “This is like seat belts or air bags or building sprinklers.”

Not if they’re made by Microsoft.

With a long and well documented track record of producing the most porous and vulnerable operating systems in computing history, Microsoft is the very last place corporations should go to for cybersecurity advice. From Windows 98 to Home Depot to the Melissa virus to a nation state break in of their own network to WannaCry and the hostage taking of over 230,000 computers in 150 countries, Microsoft wins the top award for helping its global customers increase their vulnerability to cyber-attacks and weaken their overall cybersecurity posture. To be fair, Microsoft has recently made a heroic effort to correct it's propensity to vulnerabilities and should be applauded, though all of the companies and people impacted by earlier breaches will likely not join in.

According to Marsh, the program is a response to the two most common questions clients ask brokers when it comes to cyber, 1) ‘What cybersecurity products and services should I use, particularly the one that may not be on my radar, and 2) If I use them, what value will those products and services have for my insurer and for my insurance program?'

These are two reasonable questions in light of today’s brutal onslaught by security sales people hammering on CISOs with claims of the only and best solution to the vast array of cybersecurity threats. I don’t fault CISOs for shutting sales people down without even listening to their pitches, and I don’t fault sales people for trying their best to rise above the noise and get some attention. I and most CISOs I know get 400 emails a day and dozens of phone calls and voice-mails that I never answer and never return. Some of the messaging is so sophomoric as to make me laugh were they not so irritating and embarrassing. All of them indicate a lazy unwillingness to do even a modicum of research into their target prospects.

But now it’s gotten worse. Resorting to extreme tactics to get CISOs on the phone by lying about security emergencies and threatening to expose insignificant breaches to the media is a bridge too far.

I have seen dozens of examples of fake crises and imaginary breaches used to create panic among their target prospects and nefarious processes to get their made-up stories heard. And the constant use of terms and phrases like unhackable, AI and Machine Learning, human immune system, future proof, etc., cause CISO BS meters to sound alarms every time they hear them.

I get it. It's hard for cybersecurity companies to get noticed. Smaller vendors particularly struggle because top corporations already have contracts or strong customer relationships with the biggest companies. We see this at RSAC every year and every year, the monsters at the top of the food chain get bigger and the tail of the beast grows longer. This is precisely where the threat of negative media coverage comes in. Exposing a security flaw, no matter how small, can garner big headlines especially if it's at a big public company. Enough press coverage can spark weeks of outrage and land top leaders in front of Congress. It becomes a moment of opportunity for a small vendor to gain extraordinary coverage and is often too tempting to pass up.

However, breaches that actually cause irrecoverable damage are relatively rare. As a result, vendors often try to make a big deal out of minor breaches that don't expose important company or customer information. I know of cases where vendors have called in to report "emergency" incidents, then once they got past the company's gatekeepers, turned the "alert" into a sales pitch. I know of companies whose sales strategy is to repeatedly lie to administrative staff about their reasons for calling, characterizing their call as a matter of grave security importance, only to present a sales pitch once they'd worked their way up to the right executive.

These tactics always have the same result. They create distrust among all buyers about all cybersecurity vendors and cause buyers to miss solutions that may actually work as advertised and solve a serious problem. I work with two vendors now who fit that bill yet are having a difficult time getting attention.

The Marsh plan claims to have empaneled a group of cyber insurers to independently evaluate cybersecurity offerings that address major cyber risks such as data breach, business interruption, data theft or corruption, and cyber extortion. They don’t explain exactly how cyber insurers are qualified to do this and since we suffer from a paucity of actuarial data which is why it has been so hard for insurers to underwrite meaningful cyber-risk policies, I am having trouble connecting the dots. The last time I looked, cyber insurers don’t employ teams of seasoned CISOs who might be qualified to make determinations of this nature.

These independent insurers along with the experts at Microsoft will determine if a product or service earns a Cyber Catalyst designation. Then, companies who adopt Cyber Catalyst-designated products MAY qualify for enhanced terms and conditions on any cyber insurance policies they negotiate with the participating insurers.

So, if all of this isn’t crazy enough, consider that in order to avoid any “potential” conflicts of interest between insurers and vendors that apply for the Cyber Catalyst designation, Marsh claims that they EXPECT participating carriers to “act in good faith and to disclose any potential conflicts.”

But wait. It gets better. The application process itself includes a Vendor Participation Agreement which of course must be completed, but it also times out if you take too long thinking about your answers. Marsh suggests that applicants retrieve the application documents from their site so vendors can take time to review and prepare their answers, but it turns out it is impossible to do as instructed, because if you hit the forward arrow when you haven’t completed a page, it won’t let you.

The other news is that if a vendor is fast and prepared and quick enough to complete each page of the application before it times out, they will have all the way up until May 3rd to submit it for consideration. That’s like 5 weeks. What happens after May 3rd? Will we then be able to rest assured that Marsh and company now have all of the “most effective” cybersecurity products assembled for ranking and rating by the experts at Microsoft?

It is tempting to blame this on over-zealous sales reps, over-zealous vendors, over-zealous venture capitalists or an over-zealous giant software company in the Pacific Northwest doing what it has become used to doing in an industry it dominates. But we have gotten here largely because we as consumers and businesses continue to fuel the problem space by failing to build into our organizations the security fundamentals necessary to prevent most data breaches.

The keys to cybersecurity defense are and have always been people and process first and technology second.

We didn’t inadvertently choose mobile email and cloud computing. We happily invited third-parties into our networks without vetting them. We love our break-room smart appliances and we choose to ignore all of the vulnerabilities that arise from uncontrolled IoT in our work spaces. We patch known vulnerabilities when we can, but we haven’t made it a priority. We don’t watch all of our logs all of the time, because we don’t have the resources and can’t seem to figure out how to make that argument or find an alternative.

We do software development on data from production systems, share code from places whose source we don’t understand, and we refuse to adopt the principles easily found in well-publicized security frameworks. We continue to view InfoSec as a prevention problem and not as a risk problem. We refuse to learn the language of our executives, so we fail to connect with them on critical business exposures. We breathlessly look to Ai and ML to solve all of our cybersecurity problems, when in fact AI is about to expand the threat landscape exponentially.

Until we address the fundamentals, we will continue to fan the flames of cybersecurity risk regardless of advances in technology.

But for those who look to technology as a panacea or who have done the ground work and are now ready to choose technology solutions that address some specific categories of vulnerabilities in their environment, I am pretty sure relying on a marriage between a giant Insurance company and Microsoft is not the right way to do it.

We have instead created a humble and simple alternative. It won’t get you a discount on insurance, but it will help you make an informed decision. We are building a platform where vendors can submit their products or services to a panel of actual CISOs who work for actual companies and have actual experience in the actual cybersecurity space. These CISOs will be supplemented by a team of white-hat, ethical hackers and pen testers who have competed at DEF CON and find joy in breaking things. These teams will perform an independent evaluation of each product or service submitted and produce a set of ‘pros’ and ‘cons’ and a summary finding.

And, our CISO’s will also provide clear descriptions and definitions of the security problems we are addressing across four major categories with the implications to business risk. We will have use cases of various solutions, expected results, the time-line a workable solution normally follows and implementation insights to help achieve desired outcomes. These solutions will be accompanied by advice that assures long-term success versus a temporary band-aid.

One objective here is to promote a shared forum in which CISOs have an opportunity to outline what works for them in their particular environment. Unlike trade secrets and intellectual property, we don’t believe that any business retains a competitive advantage by keeping their proven best cybersecurity practices a secret. The platform provides a global stage upon which CISOs across all industries can communicate about process, policy and technologies that work and the alternate paths which do not lead to success.

This platform is intended to be the antithesis of industry analysts like Gartner and Forrester research. There are no ‘research subscriptions’ so it will be impossible for any vendor to ‘buy’ their way into a good vs. poor review. There is no monetization and there will be no magic quadrants either.

Our CISO and security analyst teams are doing this because they believe the cybersecurity train has jumped the rails and they are willing to share pro-bono, the experience they have in the field in order to help companies make sense of vendor claims and to achieve sustainable improvements in their cybersecurity postures.

We have a dozen CISOs and hackers signed up so far. If you’re a CISO, CEH or Security Analyst and wish to participate, we welcome you enthusiastically. Just email or DM me.

Watch for an announcement by the end of April and in the meantime, stay away from air bags of any kind.