It's been pretty interesting for me to see that all startup/security companies use the same tactics at the insurance conferences.
The pitch goes "we solve X security problem, so you can write better companies/charge less" things start to go south right after that though. 🧵
Don't get me wrong I went through the same in the early @binaryedgeio days, because I was living under the impression that "cyberinsurers were in the business of writing secure/safe companies", tiny problem, that's not the objective.
Insurers are in the business of writing companies that will not have claims. What this effectively means to you as a cybersecurity startup/org you need to:
1 - understand where most of the claims are coming from (you will be surprised that only a VERY small percentage of vulnerabilities actually matter, attackers are still exploiting the basics) and
2 - be able to explain to the insurance company what is the ROI they are going to get.
You need to talk risk and $ not # of vulnerabilities or "things you protect companies from" because guess what? For some risks insurance companies know how to price for it, for others they just don't happen in a big enough number where it matters to loss ratio.
Insurance works on law of large numbers. So where do you start?
DBIR is a good spot, go understand how attackers are behaving, another good place is our Annual Claims report - info.coalitioninc.com/download-2022-cyber-claims-report.html From there start building your pitch focused on being able to explain what I described above. #startups #cybersecurity #cyberinsurance