Patching cadence becomes a thing

I recently wrote on the Hiscox London Market Blog (with the help of the excellent Simon Challis) about the Meltdown / Spectre vulnerabilities in CPU's (article is here). Two immediate things, firstly it shouldn't be a popularity contest for which bugs have the nicest logo and website and secondly most of my thoughts are reflections of Kevin Beaumont, who I think is one of the most incisive commentators on IT security (and suitably irreverent at the same time).

image from Corax website

So what's the big deal ? Well nothing really. These vulnerabilities have the potential to be a really big deal, but at the moment, they're just not. That doesn't by any mean you should rest easy, and certainly after careful testing you should apply (if safe to do so) all the relevant patches.

What interests me most is how this is changing patching from a boring but necessary (and often neglected) back office task into something that the board, and soon investors will be taking notice of. The race is on currently, can enterprises patch before malware authors come up with a remote way to exploit these newly discovered vulnerabilities.

What makes this even more interesting is the fact that it's now easier to watch this battle from the sidelines. A new industry has sprung up to measure cyber risks.

Both the pure risk scoring players such as Bitsight and FICO, but also a new breed of insurance startups premised on cyber risk scoring and aggregation, such as Cyence (recently acquired by GuideWire), CyberCube (recently spun off by Symantec) and Corax.

How long before the board asks for their own risk score, or during M&A discussions a company's risk score is one element that is considered before financial investment ?

If you're interested in learning more about Cyber insurance, here's a link to a BBC article in which I'm quoted here