» Listen or download now on the podcasts page »
Security products and services never seem to come with guarantees. You have to take it on trust that they will do the job they claim to do. And if not? Well, try the next one.
WhiteHat Security is following the example of vendors in other business areas and offering a guarantee on its vulnerability assessment services. If a customer is breached via a vulnerability that WhiteHat should have spotted, then that customer gets their money back plus up to $500,000 in indemnities against losses.
According to Jeremiah Grossman, the firm’s founder, his business is able to offer this because of its many years on experience in finding and studying vulnerabilities.
He also thinks other vendors should do the same – all they need to do is understand their success and failure rates, he says. If they know accurately how often their services fail, then it’s easy to estimate the cost of offering guarantees. It might also be an eye-opener for some vendors.
Does this suggest that the vulnerabilities and exploits are very predictable? Grossman thinks so. We know a lot about the attackers and the methods they use, such as SQL injection.
To offer such guarantees, vendors need to work with customers to understand what risks are the customer’s responsibility and what is covered by the security service and its guarantees. It’s also important for the vendor to know what they can and can’t cover.
The rapid rise of the cyber-insurance industry is a clear sign that organisations are worried about getting hacked. But it also signals a lack of confidence in their ability to prevent it, which Grossman sees as an indictment of the security industry.