Security is Not Insurance – Debunking the Myth

Security is Not Insurance – Debunking the Myth 150 150 Sharon Smith

Since 2005 I have been in the Information Security consultant and today I consult and coach security executives on strategy, compliance, messaging, and teams, so today I am going to talk about something that is critical to any organizational leader: information security. More specifically, the myth that security equates to insurance.

Many people in the security industry have used the security analogy for a very long time to explain the importance of security to an executive or client who has said,  “Why do I need security? It’s expensive and nothing has happened to my network; my company’s data is fine.”

The response often provided has been “for the same reason you need car insurance or medical insurance, you never know when there will be a problem.” Using a real-world situation to help explain something that is not always clear makes sense, but this analogy is not correct.

The reason it’s not a good analogy is because security is not insurance. Insurance attempts to make you whole again. It is there to replace your car, rebuild your house, allow you to replace lost or stolen items, or help you regain your health. Security on the other hand does not make you whole; once your data is stolen, your network breached, or your systems locked up with Ransomware it is not security that will make you whole again. There is insurance you can purchase to use when the hacker on the other end of the phone says we want 20 Million Dollars to unlock your systems, but that really is insurance.

If we are going to use analogies, then security is your force protection, it is proactive. You know the guys (or gals) at the perimeter with the big guns that are going to keep the bad guys (or gals) out in the first place. When I used to work at the Pentagon, there were armed guards with very big guns making sure only the people with the proper access could enter the building. Then there were locked doors within the building that could only be accessed by another select group of people. That is security! We don’t call them insurance guards we call them security guards (or in this case military police).

The same is true for access to your computer systems, network, and data. Your Information Security or Cyber Security (if you are using that term) team is the armed guards; it is their responsibility to keep the bad people out, to monitor for intrusions, and to react if or when a breach is observed. If you are treating this group as insurance you are not giving them the level of importance they deserve, the funding they need, or the authority they require.

For small organizations, you might think, “Who wants my data? I’m good till we get bigger; the hackers are out there looking for the big guys to steal from.” But that is not true at all. It’s like the burglar who will just move on to the next house when they see the ADT sign in your neighbors yard. If your neighbors are the bigger companies with the fancy security and armed guards it is your network the hackers are after because they know it will be easier.

But you want to say “I don’t have anything worth taking” and that might be true at the data level, but you do have something worth taking. It is your resources, your connection to other networks, and it is the fertile playground you are giving them to practice their craft. By allowing your network to go unprotected, you are allowing hackers to practice, to find vulnerabilities they can use against other networks, and to potentially use your network to launch an attack on another organization.

I am writing this so that we can stop equating security with insurance. Stop looking at this as a cost and start looking at is as a responsibility. You are not only protecting your data, your employees, and your customers; you are also protecting other organizations by putting the guards up around yours.

If you do not have a security team or strategy, don’t worry. It’s not too late and it does not have to be scary. There are lots of great consultants out there who can help. As a 12-year veteran of the information security and compliance space,  I invite you to send me an email at or reach out via LinkedIn to ask any questions you might have on this topic.