Black Hat 2019 from the cyber insurance lens

Having long lost its “cool” factor to DEFCON, every year Black Hat is turning more and more into the security “trade show” that RSA has long been, but with a threat research and security policy bend. This, however, still makes it much more of a forward looking preview about what’s around the corner for the cybersecurity industry as a whole, than a recap of security companies’ marketing campaigns. Having once again crossed the desert to partake in Black Hat 2019, here are my Top 3 Coolest Trends for what is coming up in cybersecurity.

(1) Cyber Insurance Comes to Black Hat

On the heels of headlines about major claims, court fights, and regulatory shifts, Black Hat 2019 marks the entrance of cyber insurance into the mainstream cybersecurity community, complete with its own filter on the Black Hat agenda page. There were three excellent talks on cyber insurance including a 101 from a cyber specific MGA, a discussion on how insurance fits with traditional IT risk management, and a session from an industry leader, Matt Prevost, lifting the veil on how organizations seeking cyber coverage are actually underwritten and what is being done to improve cyber insurance products

(2) These folks are from Government … and here to actually help

Having done the Black Hat tour while serving in the U.S. Government, I can say that our offerings were looked at as ‘cute’ at best and with suspicion at worst. This year it was great to see the U.S. Government doing more than recruiting for the National Security Agency, but also discussing the Department of Homeland Security’s new NCATS offering. The FBI was raising awareness on what to do when ransomware strikes (to pay, or not to pay) and had the head of the Las Vegas cyber division out “walking his beat” meeting with black and white hats alike.  

(3) Tackling the lack of security resources:

As the constant refrain of “we don’t have enough trained personnel” continues to plague the cybersecurity industry, a new wave of online training has fully taken hold. The focus is shifting to elevating current practitioners to Jedi master status, or making IT support personnel at least ‘lucky’ Stormtroopers, using low cost easy to access online training. Immersive Labs, a relatively new startup, provides realistic training scenarios through a virtual portal and a hands-on experience dealing with realistic technical hunt, investigation, and response scenarios. Immersive Labs partnered with Palo Alto Networks, Splunk, and Accenture to put together an excellent “Capture the flag” game right in the center of the conference floor.

Of course, since this is a top 3, there is a fourth top ‘thing’. With the DoD’s new declaratory policy on the use of force in cyberspace being released last year, there were some excellent discussions from Jay Healey, of Columbia University, and Neil Jenkins of the Cyber Threat Alliance on “cyber deterrence”. The policy community also turned out for a three-day working session (technically at DEFCON) hosted by the Hewlett Foundation’s incredibly active Cyber Initiative to dig deep on Public-Private cooperation, IoT policy, and international cyber law.

Don’t look for Arceo.ai at a booth, but if you are in London in December for Black Hat 2019, hit us up for a pint and a proper conversation on cyber resilience...