10 New Questions Underwriters Should Be Asking Themselves.
1. How much data has the company got, and what type of data is it?
Is this business in the data collection business or not? Many organisations actively collecting data don’t know what they’ve got or why they’ve got it, which is a dangerous situation to be in.
2. What does the tone from the top look like when it comes to promoting a solid security culture?
Security culture is pervades every element of a business. It’s contractual and a function of purchasing and legal, and it starts at board level as well.
3. What about staff and third party contracts?
Security culture is pervades every element of a business. It’s contractual and a function of purchasing and legal, and it starts at board level as well.
4. Does the organisation have a CIO, CDO and CSO?
If a company has senior people in these roles, they may be in a better position to make informed decisions surrounding data. Not every company can afford a Chief Security Officer, but we’re starting to see more third party outsourced CSOs and security monitoring services, especially amongst SMEs.
5. How long has the organisation been around?
Younger organisations are more likely to have grown up with more security conscious systems and practices and more likely to secure data in the cloud. Age and size may not be a problem if a company is serious about its view to investing in the business for the purpose of security, robust infrastructure and training.
6. How many systems does the company have?
Similarly to the point above, bigger, older organisations are likely to have more assets and less idea of exactly how many they have, which is a big concern as it only takes one asset to become vulnerable for malware to be introduced.
7. What percentage of revenue does the company spend on security related it?
It’s useful to watch if that percentage goes up or down in order to gauge how committed a company is to security.
8. Are their own products secure?
It’s also useful to watch whether organisations are building security into the products they are creating. It’s understandable that companies want to get new products out to market quickly, but if they are not being built with security in mind, this is a real concern.
9. How is outsourcing handled?
Outsourcing is not bad - it’s a fact of life. Are you able to see the ripple effect and the inherited risk from all third parties and their respective third parties?
10. Can you apply a security infrastructure to employee ratio?
If a business has a large number of employees but also invest significantly in its infrastructure and the security surrounding it regularly, this is a positive sign.