Cybersecurity consulting becomes big business

By Erin Ayers on September 12, 2014


With new data breach threats arising every day, businesses need expertise and they have numerous options in the field of security consulting, breach response and pre-breach risk mitigation.

A recent report from Gartner found worldwide spending on information security is expected to rise to $71.1 billion this year, up from 2013 by about 7.9 percent.

Stock data show that investors see the value in cybersecurity as well, with shares of various firms being snapped up quickly over the last quarter. Security firms can essentially write their own ticket, these days, with heavy competition on price and service.

“It’s exploded over the past few years. There’s thousands and thousands of security companies.” Mark Greisiger, president, NetDiligence, told Advisen. Choosing the right one depends on the organization’s specific needs. If a breach has already occurred, a business likely needs incident response help – and it needs it quickly. There are firms that purely focus on helping breached companies locate and notify all affected customers and comply with state laws on breaches.

“That part of it is very complex and there’s a science to it,” Greisiger explained. Some state breach notification laws are more aggressive than others, he added, citing Massachusetts, Vermont, Connecticut and California.

“You definitely need a lawyer who understands that full landscape,” said Greisiger.

The “postmortem analysis” aspect of security generally begins as soon as a company realizes it can’t handle it on their own, usually with the assistance of an attorney. Security firms sweep in to sift through  servers and determine whether the “bad guys” accessed any customer information – and whether they still have access to the system.

Data from Mandiant, a security consulting firm owned by FireEye, found that breach response time is improving. In a report based on 2013 attacks, the firm determined that the median number of days attackers had accessed victims’ networks before being discovered dropped to 229 days in 2013 from 243 in 2012.

“This improvement is incremental relative to the drop from 416 days in 2011, however organizations can be unknowingly breached for years. The longest time an attacker was present before being detected in 2013 was six years and three months,” noted Mandiant in the report. However, organizations less frequently discover breaches on their own, with only 33 percent of organizations detecting breaches with outside help in 2013, compared to 37 percent in 2012.

Breach response obviously occurs once trouble has already found its mark. It’s necessary to alert consumers, deal with public relations fallout, and safeguard the business going forward.

“At the end of the day, it’s just detecting something bad that’s already happening,” Greisiger said.

Risk mitigation security services can help organizations assess their “security readiness posture” and “kick out gaps and weak spots in your practices, policies and procedures,” according to the NetDiligence president.

Any company accepting credit and debit cards for payment must have an annual audit from a PCI Security Standards Council-approved vendor. PCI also offers information on security threats that retailers and other businesses accepting payment cards need to know.

According Greisiger, the value of pre-breach mitigation can be assessing organization-wide policies and procedures with industry benchmarks. Most businesses can always find places to improve security.

“It’s only in very rare cases where you find complete perfection,” he said. Even organizations with full security staffs can be targeted, despite all the preparation and good-faith efforts to prevent attacks.

“All these companies are aware of these things, yet it still happens to them,” said Greisiger. “There are very smart bad guys out there.”

Despite the uphill battle, risk mitigation goes a long way. Greisiger explained that security firms can turn up much more than risks to data. Firms should be looking at the “wide-angle picture” —  security, privacy and a company’s records management practices.

Collecting data is a “huge liability area” that can put organizations afoul of state and federal laws that have nothing to do with data breaches. He cited copyright infringement, media liability, theft of intellectual property, all of which can fall under the aegis of cyberliability.

“Cyber risk is much, much broader than security. It’s not just all about security risk,” he said.'

Erin is the managing editor of Advisen’s Front Page News. She has been covering property-casualty insurance since 2000. Previously, Erin served as editor-in-chief of The Standard, New England’s Insurance Weekly. Erin is based in Boston, Mass. Contact Erin at [email protected].