Game-Changer: What OPAQ’s Selection of Palo Alto Networks Really Means

We’re thrilled to have announced our partnership with Palo Alto Networks, which opens up tremendous opportunities for our MSP, MSSP, and VAR partners to deliver enterprise-grade security-as-a-service from the OPAQ Cloud.

This is a huge deal. This agreement furthers OPAQ’s mission to provide fully integrated networking and enterprise-grade security as a simple, cloud-based service. It means that OPAQ partners are empowered with:

  • A subscription model designed to make enterprise-grade security affordable and accessible to midsize enterprises. The traditional approach to security has put enterprise-grade security that midsize enterprises need out of their reach because it’s too costly and complex to manage. The OPAQ Cloud is a game changer – it makes enterprise-grade security accessible and affordable to midsize enterprises. This means new, lucrative revenue opportunities for partners.
  • Fortune 100-grade network security that’s known and trusted. The OPAQ Cloud integrates best-of-breed security capabilities that are powered by known, trusted security technologies, such as Palo Alto Networks, and other industry leaders and unique OPAQ intellectual property.
  • Cloud network engineered for speed, strength, and flexibility. OPAQ owns and operates its own private network backbone. In addition to integrating best-of-breed security capabilities into the fabric of the platform, OPAQ optimizes the speed and performance of network traffic by leveraging transit and peering relationships with world-class providers.
  • Single interface designed for simplified management, compliance, and reporting. The OPAQ 360 portal provides a single pane of glass where all customer security policies and network traffic can be centrally managed and enforced — all without the cost and complexity associated with managing dozens of security products from multiple vendors.

We chose Palo Alto Networks because they are a proven technology leader in next-generation security technologies. Bringing Palo Alto Networks into the OPAQ Cloud makes enterprise-grade network security much more accessible for midsize enterprises and manageable for solution providers supporting midsize enterprises.

For more information on OPAQ’s partnership with Palo Alto Networks, read the press release here.

OPAQ Shortlisted for Best Emerging Technology in 2018 SC Awards

We received some exciting news last week. The OPAQ Cloud was named an Excellence Award finalist in the Best Emerging Technology category for the 2018 SC Awards, an annual competition that recognizes the top solutions in the cybersecurity industry.

This is the second major accolade our technology has received in the past two weeks. The OPAQ Cloud was recently named best (Platinum) Network Security solution in the 2017 GSN Homeland Security Awards for cybersecurity excellence.

Making this list is very gratifying. The SC Awards are widely regarded as the gold standard in cybersecurity. The winners will be announced at the SC Awards ceremony on April 17 in San Francisco, in conjunction with the RSA Conference, the industry’s largest gathering.

According to Illena Armstrong, VP, Editorial for SC Media, “OPAQ Networks has demonstrated unique innovation in its approach to protecting companies from the onslaught of malicious attacks and other threats. Their solution represents some of the most effective security technology on the market today.”

The OPAQ Cloud is a security-as-a-service platform that integrates a private network backbone with built-in enterprise-grade security capabilities from the world’s leading technology providers and our own intellectual property.

Our vision was to create a solution that makes advanced cybersecurity protection accessible to midsize companies that lack the resources and staff to knit together and manage multiple products themselves. With the OPAQ Cloud there’s no hardware or software to buy, install and manage.

Since many midsize companies lack in-house security expertise, the OPAQ Cloud is available from managed service providers who can remotely monitor and protect their networks.

You can read the SC Awards press release here.

OPAQ Cloud Named Best Network Security Solution by Gov Security News

We are pleased to report that the OPAQ Cloud platform was recently named best (Platinum) Network Security/Enterprise Firewall solution in the 2017 GSN Homeland Security Awards for cybersecurity excellence.

The Awards are hosted by Government Security News (GSN) to recognize excellence and leadership in the Cyber Security and Homeland Security sectors. Winners were selected based on a combination of technological innovation, ability to address a recognized government IT security need, and flexibility to meet both current and future needs. Category winners were ranked with Platinum, Gold and Silver designations.

The OPAQ Cloud is tailored to meet the unique needs of State and Local governments, which face the same sophisticated security threats, like ransomware, as larger federal agencies, but tend to lack the resources and technical experts to adequately protect their networks.

The massive WannaCry cyberattack that infected computers in at least 150 countries several months ago is a good example. In the aftermath, many State IT officials said they often don’t have enough money to effectively fight sophisticated cyber threats. And the scale of that attack made them even more concerned.

Doug Robinson, executive director of the National Association of State Chief Information Officers (NASCIO) went on the record to say: “This is a big wake-up call because it is cyber disruption. States and local government need to address this because it’s a serious threat. We have urged states to take action immediately.”

There are many security products that try to do some really great things for state and local governments. However, many products and management systems are isolated and do not talk to each other.

This is why automation and orchestration are becoming a game-changing necessity for state and local governments. Leveraging automation can help state and local governments effectively detect and respond to threats at speed. This is what the OPAQ Cloud is designed to do — and it’s why we were honored with the GSN Homeland Security Award.

To find out more about the GSN Homeland Security Award, see the announcement. To learn about the OPAQ Cloud and the benefits of security-as-a-service visit

Why we Pivoted to a 100 Percent Channel Sales Model

Today we announced the OPAQ Channel Partner Program and the completion of our transition to an indirect sales model. There are a number of reasons for this change.

First, many midsize enterprises look to service providers to deliver security services. These organizations struggle to protect themselves from cyber threats due to the shortage and high-cost of skilled IT professionals, the growing sophistication of attacks, and the complexity of managing multiple security products and services. These challenges spiked demand by midsize enterprises to outsource their security. According to Gartner, Inc., services will make up over half of all security spending, at $57.7bn in 2018. Meanwhile, spending on security outsourcing services will total $18.5bn, an 11 percent increase from 2017.

Second, both midsize enterprises and service providers struggle with the upfront expense and complexity of acquiring, configuring and maintaining multiple hardware and software security products from different vendors.

For many midsize enterprises, the capital cost of implementing a Fortune 500-grade security infrastructure, not including the human resources to manage it, is overwhelming. Meanwhile, service providers that want to offer managed security services face a similar dilemma, only from a scalability and profit margin standpoint. The traditional hardware/software model requires they purchase products, install them at the customer site(s) and then manage the infrastructure.

Many of the partners’ midsize enterprise customers require complete outsourcing while others prefer a co-managed or self-managed approach. And our partners know which model best suits the customer. We have invested significant time and resources in the development of our “single pane of glass” approach.

This enables partners to deliver end-to-end network security across their customers’ distributed infrastructures — including data centers, branch offices, mobile and remote workers, and IoT devices. The OPAQ 360 portal, a web-based interface, enables our partners to centrally provision, configure and manage an unlimited number of customer sites and policies remotely. Our Partner Portal also makes it simple for partners to go to a single place in order to access training, sales support, deal registration, and other resources that are essential in helping them to accelerate time-to-value.

According to one of our channel partners, Tom Turkot, vice president of client solutions for Arlington Computer Products, “The OPAQ Cloud is a game changer.”

You can read today’s announcement here: OPAQ Channel Partner Program Press Release. Or for information about the OPAQ Channel Partner Program visit:

Closing the security skills gap with online education

ka_0011-2Ryan Corey is President and Co-founder of Cybrary, Inc., an online security training and education provider. Cybrary provides free access to security courses, along with learning tools and an enterprise training product.

 OPAQ: Describe business needs for security training today and how/why online courses are a good fit for meeting them?

RC: Technologies are shifting so fast, and attack surfaces are expanding so fast that it is tough to keep up with it all. Equipping personnel with the right skills is critical. Research has shown that companies retain their people when they continually train them, but the tech and IT security training landscape is problematic. The traditional model is to send people on a one-week course, where they cram in lots of material at a cost of $3,000 to $6,000. The industry would certify people in whatever course they took, and that’s another $300 to $1,000 for the test. It’s also inaccessible: if you are not close to a major metropolitan area then you have to travel. And if a company doesn’t sell enough seats in a course, then the course might cancel. That’s inconvenient. It became obvious when companies like Pluralsight and Linda started having massive success that online became the preferred way to do training. You can do it at your own pace, and it’s much more affordable. Microbursts of learning are what seems to work best for most people.

OPAQ: From looking at your user base and most popular courses, what trends do you see that correlate to security education and/or security needs?

RC:  Concepts like the DOD 8140 directive for federal government and pen testing are popular with consumers and on the enterprise side, incident response and threat intelligence. The enterprise product, which is the paid side of the business and includes full access to all the learning tools, is seeing 20-30% revenue growth monthly. Yet we also know that so many security teams are not getting training, and it’s surprising.

OPAQ: In what cases are online learning not an appropriate match for security professionals?

RC: People tend to go to classrooms when there is pressure to learn something in a specific time period, when they need mentorship, or hands-on training. I think where online falls short is in the accountability aspect, but you can design courses with gamified concepts to help keep people engaged. It’s like going to the gym on a regular basis. Sometimes you don’t see what the reward is going to be, so maybe you won’t go.

OPAQ: Aside from training and education, what else is critical to closing the security skills gap in this country?

RC:  The final piece is assessment. Let’s say a stay-at-home mom who used to work in IT wants to go back to work after being at home for five years. She’d like to work in cyber but she’s got no experience. So even if she goes and takes a $5000 course for a week, that’s still not enough, and getting a two-year degree is really not convenient and it’s expensive. That is very high friction. That’s the same for someone just starting out.  A degree is not useful without experience. If an individual takes online training and does an assessment, that puts them through real world scenarios and gives scores for their performance. There is a company called Cyberscore that offers tech assessments for system administrators. Coding challenges are another way to do this. The point is, people need a transparent way to show that they are technically proficient in a security skill to the employer.

Good Security Depends Upon Automation, Analytics and Outsourcing

Joshua Margolin is Principal Analyst at Clutch. He received his BA in Business Communications from the University of New Hampshire, and his MA in Technology & Entrepreneurship from Georgetown University.

OPAQ: Which are the hottest areas within the security tech sector right now in terms of customer demand and innovation?

JM: To set the stage, companies worry most about whether they will be too late in implementing security technology. Another important consideration is the job market, because there isn’t enough cyber security talent to go around. Companies don’t know where they stand from a risk profile standpoint and once they do, many aren’t sure how to address it. There’s going to be less of a demand for security consultants and analysts because more companies will defer to automation solutions for detection, monitoring, privileged access and transparency. The fact that you can subscribe to security services in the cloud means that you don’t need to hire a team of experienced analysts. Our recent survey indicated that 70% of large companies will invest more in cybersecurity technology over the next year.

Another top category is Internet of Things (IoT). Large enterprises have a lot to gain by integrating IoT into their core business. On the consumer side, we are seeing more of these devices all the time – from smart home and car technology to wearables. Companies need to determine whether or not they should invest money in endpoint protections considered outside the traditional realms of interaction.

OPAQ: What types of customers are becoming more interested in cloud or outsourced security services and how do you think this market will evolve?

JM: It makes sense to outsource these activities, especially for smaller companies because it’s so expensive to staff your own team of security experts. Yet before you spend money with any vendor, it’s worth the investment to hire a threat intelligence agency. These companies audit internal data and practices while considering the wider marketplace, all in an effort to determine what threats would most likely be encountered. Companies easily fall into the illusion that technology is the panacea. Not every business requires the same degree of security or even the same approach. It’s also important to remember that at least half of a company’s needs can be addressed by sound policy and effective training. For many companies, hiring a SaaS provider or two is sufficient. With larger project scopes, a MSSP is ideal because they will integrate several complementary SaaS products and manage the vendor relationships.

OPAQ: Both Gartner and IDC predicted earlier this year, 7-8% growth in IT security spending worldwide. How do companies best decide how to use a bigger budget?

JM: It will first depend on what internal expertise they have out of the gate. Any company that has a CSO or CIO has experience and networks to help figure this out. What’s difficult is when a company has no internal IT to rely on. This leaves them at the mercy of vendors’ salesmanship. They might be driven by the fear factor or they might misallocate budget to bring a contractor in-house. This only drives the costs way up. It might offer more peace of mind when compared to outsourcing but then the company is limited by the expertise of any single person. There’s a lot more to gain by tapping into wider talent pools.

OPAQ: Are developers and engineers having a hard time staying abreast of threats and developing the right solutions to counteract new threats and recover from them?

JM: The market for malware and ransomware is booming. There are a lot of talented people out there with malicious intent. These actors are often well financed by corporations or governments and they will find a way in; it’s only a matter of time. Technologists and engineers on the good side are always going to be chasing down the black hat actors. It’s better to be adaptive and react in the nick of time, all made more possible than ever thanks to advances in predictive analytics and artificial intelligence. That’s where the new frontier is for cybersecurity.

Considering Compliance in the Cloud

Gates Marshall is Director of Cyber Services at CompliancePoint. He has many years of experience in information security consulting with expertise across secure architectural design, vulnerability and penetration testing, OWASP, forensics, incident response, GDPR, FISMA, MARS-E, and cryptographic control design and implementation.

OPAQ: What exactly do we mean these days by “cloud compliance” versus other security and compliance topics?

GM: In some respects, there is not a big difference between on-premise and the cloud. HIPAA or PCI standards don’t make special exceptions for the cloud. The rules apply the same everywhere. There are also some cloud-specific compliance solutions out there like CloudeAssurance or CSA Star Certification, which allow organizations to achieve a quantifiable rating on compliance. Yet for a lot of things, being compliant in the cloud is not much different than having a data center somewhere or a colocation provider.

A significant problem is that when people sign on with a cloud service provider (CSP), they sometimes think they are outsourcing the due diligence aspect of compliance. Google, Microsoft and Amazon have a number of certifications, but these are to certify their own services. They are not certifying that their merchants and other customers are compliant in any specific client-level implementation.

OPAQ: There are some differences, though, right?

GM: The way you can configure systems in the cloud is different than a traditional on-premise installation. For instance, take PCI DSS, which is a fairly prescriptive standard for merchants. It calls for having a separate demilitarization (DMZ) zone from your LAN to isolate and protect credit card data with a firewall. CSPs may support other mechanisms, like AWS security groups, to facilitate a similar functionality; however doing so still doesn’t meet all of the compliance requirements for a DMZ.  So organizations are using these new cloud services, but they are missing some of the requirements as relates to architecture controls and/or logical segmentation.

OPAQ: How would you describe the level of security and compliance support at the major cloud providers?

GM: They do quite a bit to reduce the burden of compliance. Most of them produce good documentation to declare what we call a service provider controls responsibility matrix.  It shows what the provider is doing around compliance and that helps because it both reduces the burden on the customer and declares where the customer’s remaining responsibilities begin. Security at the large CSPs has improved a lot, for instance with services like Amazon CloudWatch for monitoring. All the major providers now have good auditing capabilities for the management interface and offer multifactor authentication. These developments give customers more confidence in the cloud.

OPAQ: Is security protection in the cloud as good as or better than an enterprise on-premise environment?

GM: We tend to have an affinity toward legacy configurations in the on-premise world.  By that, meaning we set it up and it works and we never change it. It’s security via obscurity. When you go through the transformation process to become a cloud-first organization, you need to fix all those legacy issues that were acceptable in the LAN environment. You can’t be so sloppy. Cloud providers may be less secure than on premise, however, because you’re letting someone else manage the Layer 1 infrastructure. The physical addressing and networking and storage configurations now fall on the CSP. They may have weaknesses that you don’t know about and the customer has to depend on third-party attestations. Hypervisor hopping has been a concern for a while. If a CSP’s hypervisor technology has a flaw, a malicious actor could jump between different customers’ VM guests through the hypervisor. There aren’t any disclosed examples of this happening, but it’s always a risk in a multi-tenant environment.

OPAQ: Yet most if not all of the massive breaches in recent years have been in on-premise environments, right?

GM: While this is true, many of these breaches could have taken place in the cloud. Equifax had a real problem with inventory because they didn’t have visibility into the software that should have been patched. That scenario could have also occurred with a CSP. Vulnerability management is critical in any implementation. Accenture did have an issue in the cloud recently, which could have been disastrous. In October, it was discovered that the global consulting firm had left an AWS S3 storage location unsecured, leaving over 100GB  of customer data accessible without authentication by anyone on the Internet with the correct S3 URL.  The insecure configuration of Amazon S3 could also apply to on-premise technologies.  No matter where your data sits, IT needs to secure the location against exploitable configurations and software flaws.

OPAQ: Do you foresee more regulation in the area of cloud compliance and security?

GM: Yes. The EU’s General Data Protection Regulation (GDPR) has huge potential to change a lot of things in tech. It goes into enforcement in 2018, and may become a global standard for privacy. GDPR applies to any organization that uses the data of people who are in the EU at the time of data collection. Two key principles of GDPR are that companies and organizations should use data minimization to keep the smallest amount of data possible and use consent mechanisms to ensure they’re authorized to hold or use that data. If you have 10 million customer records, but determine that you only need to keep two million records and purge the rest, your risks go down. If a breach occurs, there is less data loss and lower costs to mitigate the impacts of the loss. Information privacy is the next frontier. The large CSPs realize that if they don’t get in front of this, they will lose business. This will require that CSPs look closely at the leading cyber risk rating mechanisms, and adopt one or two of them. I think we’ll also see more CSPs provide guidance on how to meet global data security and privacy requirements in an effort to help customers help themselves.

IoT Systems are Complex, and so is Securing Them

Brian Russell is Chief Engineer, Cyber Security Solutions at Leidos.  In this role, he defines and implements cyber security controls for Internet of Things (IoT) and cloud products and systems. Russell is the co-author of “Practical Internet of Things Security” and is Chair of the Cloud Security Alliance (CSA) IoT Working Group.

OPAQ: How do security risks for IoT devices and applications differ from mobile security or web app security?

BR: Some of the risks related to IoT devices are similar to risks we’re already familiar with, such as those identified by the Open Web Application Security Project (OWASP): security misconfigurations, sensitive data exposure, using components with known vulnerabilities, and privacy risks.  Where we run into differences compared to mobile and web app security relates to the physical nature of IoT devices, acquisition and deployment models for IoT devices, enablement of automation across IoT devices and privacy associated with IoT devices.

For example, we might see IoT products deployed across a city such as smart parking meters or road-side units (RSUs).  These devices need comprehensive physical protections built into them to prevent theft and extraction of firmware for further security analysis.  It’s also important that access controls for these devices are explored thoroughly.  We’ve already seen plenty of scenarios where product makers have used shared credentials across a family of devices.  These configurations make it unnecessarily easy on malicious actors.

The IoT is similar also in some instances to the concept of BYOD in that employees or customers may bring connected products, such as smart watches into the organization.  Or, employees might install smart TVs on corporate networks, and those devices could send data out to the manufacturer.  Security teams need to be on the lookout for these connected devices and make sure that they don’t open avenues to export company data to the outside.

As relates to new acquisition models, a company may decide to lease an expensive connected asset instead of purchasing it. Often, the asset is remotely managed by the vendor.  This opens new interfaces to the organizations’ networks that must be locked down.

OPAQ: What are the top enterprise risks from IoT?

BR: First, it’s useful to understand the core ways that enterprises are using IoT data. We are seeing that manifest in two ways:  the IoT device feeds data into analytics systems that companies rely upon for decision making purposes and secondly, the IoT systems could enable automated decision making within control systems, such as sensors that collect system status data to decide whether to continue or stop a running process.

From an analytics perspective, we must protect against data tampering.  If we do not have confidence in the provenance of the data then decisions made based on that data must come into question.  So, we must apply lifecycle security protections to the data to enforce data integrity. This can be accomplished through cryptographic hashing algorithms for example.  Organizations that collect sensitive data from individuals must not only protect it such as with encryption, but they must recognize that they are collecting sensitive data in the first place. If for example, you’re collecting blood pressure data from your patients, that piece of data alone isn’t necessarily sensitive.  But, when combined with identifying information, the aggregate data is subject to regulatory compliance rules.

If a malicious actor gains access to an IoT-enabled industrial control system, then they can cause unexpected physical actions to occur, which put the safety of the enterprise’s stakeholders at risk.  For example, by increasing the pressure in an oil pipeline, attackers could cause an explosion.  That’s why I usually like to recommend performing at least a rudimentary safety analysis for any IoT system being implemented.

OPAQ: Is security a barrier right now for the adoption of/broader potential of IoT?

BR: What is a bit concerning is that I don’t necessarily know that security is a barrier right now for the adoption of IoT solutions.  IoT-based innovation continues at a rapid pace, even in safety-critical industries.  Connected and autonomous cars are already on the road, medical devices are being connected, control systems are being connected, and the home /consumer IoT market continues to expand.  It seems that many of us are willing to take a chance on new technologies enabled by the IoT and then update those devices when we find that a security flaw has been discovered.

OPAQ: What kind of advice would you give IT departments regarding implementing IoT security plans – whether that’s from employees bringing in personal IoT devices and apps– or from the company having business IoT technology in place?

BR: First, sit down and think about what policies you might need to institute, such as what devices people can bring into a space and what they can connect to the network.  Also, keep track of IoT-related vulnerabilities and make sure to tune your detection processes based on what might be in use in your organization.  For organizations putting business IoT technology in place, make sure that you aren’t infringing on anyone’s privacy with these systems (e.g., conduct a Privacy Impact Assessment) and make sure that you aren’t jeopardizing the safety of users, either. Perform a threat model to identify the high value assets and the data flows within your system and lock them down appropriately.  Apply integrity controls to your data at all points within your systems.  Keep track of all of the IoT assets in your enterprise, which includes tracking the physical locations of your assets and the versions of firmware/software running on these assets.  And, of course, put a plan in place to keep all of your IoT assets updated.

Meyer: Closing the Cybersecurity Skills Gap with Entry-Level Roles

ka_0011-2 Ean Meyer is a Course Director with Full Sail University, teaching the next generation of engineers about information security. He has experience in PCI, SOX, intrusion detection and prevent systems, information security program management, penetration testing, and social engineering/user awareness training. Ean has a B.S. in Information Security and an A.S. in Computer Network Systems.

OPAQ: What are a few reasons why security skills are lacking in the workforce?

EM: There are two main problems in the higher level discussion about the skills gap. We have focused too much on passing tests and not critical thinking and history and engineering. Information security is about thinking outside of the box: you have to think like a hacker. The second challenge is that academia has a tendency to be behind the curve. In some colleges you  have to pass electric engineering to get into the network security course. That’s a major barrier for people who could be excellent network engineers or security analysts. It doesn’t make sense. I am a big believer that the skills gap can be solved by a trade school and real world education approach. People aren’t going to enter the workforce into environments where it’s all  brand new technology, except for maybe at startups. In large organizations you’re going to have a lot of legacy technology, so teaching the history of that and learning how to deal with those challenges is part of the skills gap issue.

OPAQ: What skills are most needed now?

EM: The top one is security analyst. These are people who can come in and understand the environment quickly and provide value by teaching well-defined processes and when to escalate. There are lots of people from IT fields that know how computer infrastructure works and can be taught additional pieces of process they haven’t been exposed to yet. The second big one is cloud security architect. The cloud is not simply, push a button and it’s all good behind the scenes. For AWS, there are 1500 pages of security documentation. I’m also a big fan of understanding what is going on in social engineering—the con men just trying to trick people. I think security awareness training is a big opportunity. These trainers can help employees understand in plain language the real issues and how to protect themselves.

OPAQ: You recently wrote about a solution to the skills gap, involving the creation of entry-level security roles at companies. Tell us how this can work?

EM: One of the arguments is that you are not a security person unless you are a generalist at the peak of your career. But someone familiar with Microsoft tools could become a security champion. Let’s create roles where someone could evaluate a new vulnerability because they know all of the company’s IT systems. There could be new types of intern programs where someone could be in charge of real projects like patch management allowing them to learn and grow and stay on with the company. Interns are often brought on with no real goal. They aren’t learning or doing much and you aren’t getting much value from them. That intern could have a senior engineer overseeing their work and then you can grow the security workforce. You’ll also learn a lot because the person from the outside will see things you won’t see.

OPAQ: What kind of culture and processes are needed to support the in-house training and development of entry-level roles?

EM: The security analyst doesn’t need to program in C++. You can get a great analyst who can see the alerts on a dashboard and address them. They can learn how to code later, if needed. It’s not necessary to create an HR firewall requiring all these certifications and degrees to get a job in security. Job rotations are another idea. Someone who’s been on the database team for a few years could get invited to work on the security team for a few hours a week. That builds relationships and allows people to move more easily into a security role when there’s a need. I would also encourage directors to worry less about having to replace that database person and consider how that person is bringing institutional knowledge to a security role and can still be a resource to answer questions for the database team. We need to focus more on these cross-departmental relationships.

Acohido: Cyber-insurance is still nascent, yet worth a look

ka_0011-2 Pulitzer-winning journalist Byron V. Acohido is the founder and executive editor of Last Watchdog, a pioneering security webzine. One of the nation’s most respected cybersecurity and privacy experts, Acohido conceived and delivered a nationally-recognized body of work for USA Today, chronicling the frenetic evolution of cybercrime in its formative stages.

OPAQ: Some 32 percent of U.S. businesses purchased some form of cyber liability and/or data breach coverage in the last six months, compared to 29 percent in October 2016, says a survey by the Council of Insurance Agents and Brokers (CIAB). Do you think this growth will continue—and why?

BA: Demand for cyber insurance absolutely will increase at a healthy clip for the foreseeable future. That’s because the value of business data and intellectual property today far outstrips the value of the physical plant. Think about it: we can do astounding things with cloud computing and mobile devices. And yet the business networks that support Internet-centric commerce remain chock full of security holes. Criminals get this, and will continue to take full advantage. Meanwhile, businesses are scrambling to figure out how to deal with data theft, network disruptions and cyber fraud. And we are in the very earliest stages of dialing in insurance to help them offset these emerging exposures.

OPAQ: There are a number of barriers for purchasers of cyber insurance, including: lack of standardization on policies and pricing, difficulties determining risk, difficulty showing attribution when a breach or incident occurs, and so on. Thoughts on these and how should the insurance industry address them?

BA: There’s nothing, really, stopping the industry from taking the first step of standardizing the basic terminology to use in cyber policies. Right now there is none. Standardized language would pave the way for underwriters to begin more assertively partnering with cybersecurity vendors to come up with innovations to measure cyber risks. Insurers could become much more proactive about incentivizing companies to embrace more rigorous security policies and practices. As the pool of lower-risk policyholders grows, the industry could then begin to extend policies to cover specific cyber exposures that today are not routinely covered.

OPAQ: There is risk in buying cyber insurance in terms of mitigating losses. For instance, Target received an estimated $100 million in coverage, which didn’t even cover half of the $290 million it lost. How can companies avoid this sort of outcome?

BA: No company should be relying solely on insurance to eliminate all, or even most, cyber exposures. In the current environment, where hackers probe business networks 24 by 7 by 365, network security should be a top priority for all organizations. It’s a cliché, but true, that there is no silver bullet. The use of layered security technologies remains vital; no less so continually refining and enforcing policies and training employees. A cyber policy can then be thoughtfully purchased to offset the remaining risk.

OPAQ: Given these barriers, and any tips for CSOs seeking carrier quotes?

BA: It’s an interesting time to go shopping for cyber coverage. Even though the insurance industry has left many things undone, there is wide recognition of the pent-up demand. The result is that there are many companies competing aggressively to sell policies. In a sense, it’s a buyers’ market. Numerous options are available to get some level of cyber coverage from somebody. The problem, of course, is that the devil is in the fine print. So it is important to find a knowledgeable, trustworthy agent to guide you through the due diligence process.

OPAQ: Finally, what could security vendors be doing to help their customers with cyber insurance – a.k.a. data collection, navigating insurance decisions, partnering, etc.?

BA: The path forward for security vendors, at this point, seems to be much the same as insurance buyers – become knowledgeable about this emerging market and align yourself with smart, trustworthy partners. A few pioneering partnerships between insurance companies and security vendors are out there, and I expect this trend to accelerate over the next few years.