The Marsh brokerage unit of Marsh and McLennan recently announced a new evaluation process called Cyber Catalyst designed to determine the usefulness of enterprise cyber risk tools.
While this collaboration between insurance companies is unusual, it's not entirely surprising. Cyber insurance is a $4 billion market globally. While it's difficult to accurately gauge how many hacking attempts were successfully foiled by the products targeted here, data breaches and cyber attacks on businesses continue to increase in frequency and severity. The 2019 World Economic Forum's Global Risks Report ranks "massive data fraud and theft" as the fourth greatest global risk, followed by "cyber-attacks" in the five slot.
Meanwhile, cybersecurity products and vendors have been, to be charitable, a mixed bag.
Good in Theory
From this standpoint, Cyber Catalyst seems like not just a good idea, but an obvious one. A standardized metric to determine which cybersecurity solutions are no better than a fig leaf and which ones provide real armor to defend against cyberattacks is sorely lacking in the cybersecurity space. By Marsh's own estimates, there are more than three thousand cybersecurity vendors amounting to a $114 billion marketplace. Many of them don't inspire confidence on the part of businesses.
Or Maybe Not
Where the analogy to the Insurance Institute for Highway Safety breaks down is here: The threats to car drivers and passengers have ultimately stayed the same since its inception. Everything we've learned over the years about making cars has progressively led to safer vehicles. Information technology is vastly different in that iterative improvements in one specific area doesn't necessarily make an organization as a whole safer or better protected against cyber threats--in fact sometimes it can have the opposite effect when a new feature added turns out to be a bug.
Culture Eats Strategy for Breakfast
Where the Cyber Catalyst program seems to potentially miss the mark is by overlooking the weakest link in any company's security (i.e., its users). An advanced cybersecurity system or set of tools capable of blocking the most insidious and sophisticated attack can readily be circumvented by a spear phishing campaign, a compromised smartphone, or a disgruntled employee. Social engineering cannot be systematically addressed. Combatting the lures of compromise requires organizations to foster and maintain a culture of privacy and security.
This article originally appeared on Inc.com.