$75 billion. That's the amount of money businesses, governments, and individuals pay every year to security companies. While some security companies provide good value, the reality is the number of incidents are still getting worse and more frequent. Hundreds of millions of people have had their personal information stolen, businesses all over the world are losing intellectual property, and financial fraud is in the billions of dollars. These stories are constant, seemingly never-ending, and customers are tired of it. They are even apathetic to the degree that customers are turning to cyber- insurance as an alternative to breach prevention. We know this because cyber- insurance is a thing. In fact, cyber-insurance is a skyrocketing business that is already influencing every area of the information security industry. This rise of cyber-insurance has also provided a new way for security vendors to help their customers. A way for them to make a real positive impact, differentiate themselves, and align their incentives to that of their own customers - I'm talking about security guarantees.
Security guarantees or guaranteeing security is almost a taboo subject in the industry. As skeptics are quick to point out, nothing is 100% secure. Everything can be hacked. They're technically right, of course, but they're also missing the bigger picture. Just like we all buy electronics, cars, tools, or toys for the kids, all of these items sometimes break - yet, every manufacturer still provides some kind of guarantee. Most often, at least a replacement, a manufacture can do this because they know how often their product breaks. If every other major industry in the world can do it, the security industry can too! And while many InfoSec practitioners are not yet aware of this, a few security vendors are already offering security guarantees. From private conversations, at least a half dozen or more are actively working with cyber-insurers and creating security guarantee programs of their own. Many of our peers are investing their time in this space as well. In not too long, security guarantees will become common.
InfoSec practitioners who want to get a head start, or even a leg up, in cyber-insurance and security guarantees - this presentation is just for you. Also, one does not simply launch a security guarantee program. A great many things must be discussed, analyzed, and accounted for first. The business model of the program must be carefully designed, product efficacy must be measured, risk calculated, lawyers consulted, impact on financial accounting rules understood, liability reinsured, and more. Security vendors, if you're interested in how to go about creating a security guarantee program of your own, I'll be providing several helpful tools and a process. And business managers who would like to understand the landscape and how security guarantees are a great help in the purchase process, this talk is also for you.