The big unknown is super-cat insurance. Were the terrible hurricane seasons of 2004-05 aberrations? Or were they our planet’s first warning that the climate of the 21st Century will differ materially from what we’ve seen in the past? If the answer to the second question is yes, 2006 will soon be perceived as a misleading period of calm preceding a series of devastating storms. These could rock the insurance industry. It’s naïve to think of Katrina as anything close to a worst-case event.
Neither Ajit Jain, who manages our super-cat operation, nor I know what lies ahead. We do know
that it would be a huge mistake to bet that evolving atmospheric changes are benign in their implications for insurers.
Don’t think, however, that we have lost our taste for risk. We remain prepared to lose $6 billion
in a single event, if we have been paid appropriately for assuming that risk. We are not willing, though, to take on even very small exposures at prices that don’t reflect our evaluation of loss probabilities.
Appropriate prices don’t guarantee profits in any given year, but inappropriate prices most certainly
guarantee eventual losses. Rates have recently fallen because a flood of capital has entered the super-cat field. We have therefore sharply reduced our wind exposures. Our behavior here parallels that which we employ in financial markets: Be fearful when others are greedy, and be greedy when others are fearful.
This describes some of the fundamental concepts in risk management that get missed in Information Security. It is ok to take risks, InfoSec's job is not to tell the business what risks to take, rather it is to highlight the risk and risk management options. What countermeasures can we deploy to protect the assets in this transaction that would make the tradeoffs more palatable?
But of course, it is not just the big challenges and decisions, but the small ones too. Just like Buffet is averse to small exposures at bad prices, InfoSec should examine this balance as well. I remember a talk a few years ago by Jay Beale at Blackhat and he was speaking on IDS/IPS and other kind of cutting edge stuff, and Beetle from the Shmoo group stand up in the middle of the talk and says basically 'this is ridiculous instead of all this new technology, businesses need to focus on locking down their operating systems" and so on. The point is that the job of Information Security is not to avoid risk at all cost, or to deploy every security technology under the sun, but to find the right amount countermeasures to deploy based on the assets in play in a given context.
A useful model for security architects is an investment counselor. If your investment adviser gave the exact same guidance to everyone would that be useful at all? Not so much, but this is more or less the equivalent to what you see in many information security policies.
Instead, do what investment advisers do - based on the relevant factors age, time to retire, risk tolerance, and so on, recommend a set of stocks, funds, and bonds that meet their needs. The Information Security architect should have a portfolio of security services that can offer the right mix of defense in depth services based on the business factors.