With car purchases there is often a warranty that offers buyers the assurance that if something doesn't work, they can get it fixed. The same is true throughout much of modern consumer society, with products and services backed by warranties that simply affirm to users that products should work as they should. A glaring example where warranties are not common is in software, specifically security software.
Jeremiah Grossman is on a mission to help change that.
Grossman first introduced the concept of guaranteeing security in 2015, with former employer WhiteHat Security. The basic premise with WhiteHat's guarantee is that if the software and service provided by the company don't help prevent a breach, WhiteHat would pay for breach-related costs. Grossman changed jobs this year, joining security firm SentinelOne, and launching a $1 million ransomware guarantee program with that company.
At the recent Black Hat USA conference, Grossman provided attendees with an insider's guide to cyber-insurance and security guarantees. In an interview with eSecurityPlanet, he offered additional details on his view about how other organizations can follow his lead and offer guarantees.
"Infosec is a $75-billion-a-year business growing at five percent a year, or $3.2 billion in new money every year," Grossman said. "That $3.2 billion is roughly the same size as the cybersecurity insurance business today in terms of premiums."
In his view, organizations are probably just as likely to cover the potential downside of security by purchasing insurance as they are to actually buy new security products. Figuring out the inter-play between cyber-insurance that an individual organization buys versus a cyber-guarantee that a vendor provides is not an easy task, he noted.
"For the security vendors that want to provide a guarantee, they have to make sure it doesn't overlap with the insurance that a company has already bought," he said.
The issue of coverage overlap is one that he has encountered at both WhiteHat and SentinelOne, Grossman said. The challenge for security vendors is to get out of the way of the insurance providers and deliver a guarantee that is substantively different. As a metaphor, car owners today get a vehicle warranty from the manufacturer but still buy insurance to protect against accidents.
A particular challenge in offering security software guarantees is the simple fact that the attacker landscape is very dynamic, with new threats and attack vectors emerging on a regular basis. For ransomware, which is what SentinelOne is providing a guarantee against, Grossman argued that attackers are using techniques that have been popular for years.
One of the things that Grossman has learned through his experience is how to get a vendor cybersecurity guarantee re-insured by an insurance vendor. The right way for vendors to get insurance for their own programs is by way of standard business insurance for errors and omissions.
"It can fall under a general business category and it can be very cheap to do," Grossman said.
Grossman emphasized that with $75 billion being spent on information security, he's tired of hearing about how companies are still being hacked.
"What I want to see is vendors go to war on product performance, not on marketing collateral," he said.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.