Been invited to work with Jamie Gamble (@bitgamble) on two talks at RSA.
– The first is about medical device security, providing content for defenders and manufacturers to help design and assess products via security standards. The FDA provided some guidance (a 2-pager) in June that is summed up as “cyber security is important” and “check out NIST and some SCADA docs” for more information. See this link. Lacking depth, we wanted to pull together some content based on previous hacks and vulnerabilities, what we can learn from them, and how we’ve built a quick and dirty framework to use when reviewing a medical device for its security posture. We go beyond the publicized technical controls and include controls to consider the entirety of the device from its network security, access controls, and third party support.
– The second is on cyber risk insurance. This isn’t a dry message about premiums and policies but perspectives on the market and how it should, could, and does work today. This is a hugely growing market (fastest specialty line in insurance) and people all over are picking it up for a variety of reasons. However, there’s more to the story and hopefully you’re entertained hearing about its many flaws and what we think we could do better to price and transfer risk.
If you have any thoughts on the matter, hit me up via my twitter @west_tim or comment here.