The Cyber CIC Program Series, by Olivier Bue, Vice President, The Hull Group
First and foremost, I have to say Pittsburgh is not exactly what I expected. I knew it had a reputation for sports and good food but I didn’t realize how beautiful the city actually was. From the moment I exited the Fort Pitt Tunnel I was stunned. Between the three rivers that run through it and the green hills in the background, there are too many sights to take in.
That said, I didn’t have nearly enough time to explore the city since much of my 3 days there were spent in lecture rooms at the prestigious Carnegie Mellon University (CMU). During the orientation sessions on the first day I quickly realized that this program was really serious about what it was trying to deliver to the participants. The CMU professors and outside advisors involved in the program included a number of high profile cyber security professionals and Chief Information Officers from various organizations, not to mention the executives from Chubb that are fully invested and participating in the program.
A number of the CMU people involved were also associated with or work in the CERT Division of CMU. It turns out that this same CERT Division is considered the birthplace of cybersecurity. The first organization of its kind, CERT was created in Pittsburgh in November 1988 at the US Department of Defense’s direction in response to the Morris worm incident. Originally focused on incident response, they have expanded into various cybersecurity areas surrounding risk management concerns.
This is just the start of the program but if I had to offer a takeaway, it would be a simple equation for Cyber Risk offered from a session conducted by Randy Trzeciak, Director of the CERT National Insider Threat Center – “Cyber risk equals the probability that a threat (human or non-human) will find a vulnerability (human or non-human) towards an impact (whether it be financial, operational and/or safety).”
The traditional value proposition of insurance products are to help organizations recover from the “impact” element of this equation. However, as cyber insurance products continue to evolve in a competitive landscape, they are starting to put more focus on helping organizations with the other elements of cyber risk. The marketplace is moving towards a point where cyber insurance products will be just as useful in preventing an impact as they will be in responding to it.