I have been in many meetings and seminars where I have been astounded at the response that CISOs, CIOs and IT Directors have given when a point has been raised that risk transfer might be of help.
The type of risk transfer generally being referred to is provided through insurance products covering such areas as business interruption, errors and omissions and cyber liability.
A typical reaction by an IT or InfoSec executive when asked whether cyber insurance should be considered is that they have sufficient security and availability systems in place, firewalls, intrusion detection systems etc. so why would they need insurance!
I am not sure why this position is taken and generally think that it can best be explained by both a lack of organisational maturity that IT and IT Security have within the halls of their organisations: I have found that many senior IT managers simply don't come into contact with those colleagues who manage their organisations insurance portfolio - usually the Chief Risk Officer, Finance Directors or Company Secretary.
In trying to draw analogies on this lack of appreciation for the value of insurance, one which seems to resonate is that of the Facilities Manager explaining to their Board that they simply didn't see the need for buildings and fire insurance. After all, they have installed smoke detectors and a sprinkler system. The Board should appreciate the fact that costly insurance premiums were avoided. Surely it won't take too long to re-build the burned out shell of their office HQ? Blimey, they should be thanking him!
The significant rise in cyber breaches coupled with the recently reported spiraling rise in cybercrime and associated costs is leading to a greater and more positive realisation that cyber insurance is a worthwhile additional safeguard - perhaps not only for the business generally but also to protect the IT budget which may well take a bit of a pounding in response costs should an incident occur.
So I welcome this more embracing approach to risk transfer. Coupled with an intelligent mix of other risk treatment approaches; mitigation, avoidance and, of course acceptance it heralds a new and more mature way to manage business risk effectively.