There can be many reasons why a company takes an initiative to improve its information security. However, there is one specific reason that repeats itself time and again: "Because the auditors say that, we have to..."
The reality and the resulting logic have so far often been as follows: The enforcement of regulatory or legal requirements includes sanctions for non-compliance. These had to be avoided. This led to a check-list approach for regulatory compliance. If this was done with the absolute minimum possible cost and effort in order to avoid non-compliance and thus the fine, the "most advantageous" approach for the company was found. This could not and cannot be regarded as a well-thought-out strategic view of governance and compliance.
But over time the requirements change, they become more and more specific. The latest example from the insurance industry is the document "Versicherungsaufsichtliche Anforderungen an die IT" (VAIT), which was finalised in July 2018 and published by BaFin (Bundesanstalt für Finanzdienstleistungsaufsicht - German Federal Financial Supervisory Authority), providing insurance companies with more tangible requirements for the implementation of their business processes using IT.
The similarity of the names to BAIT and thus to the banking supervisory requirements for IT is by no means a coincidence: both documents originate from BaFin and also have strong parallels in terms of content. Thus, both documents represent challenges that must be met appropriately, transparently and well-documented by the affected companies. And since these are only refinements, they are valid immediately, because the underlying regulations originally to be refined are already valid.
However, it is not only external requirements that are changing. Companies also understand that IT today is a central component of their core business - or IT is their core business. Backup, contingency management, security, audit and governance are therefore increasingly becoming requirements demanded by a growing number of internal stakeholders to maintain and improve the business basis. IT risk management leads to meaningful key figures such as "key risk indicators" leading to clear guidelines on possible downtimes and restart times, but also to statements on SoD, privilege management, assignment of rights and access governance.
It is also clear that with BAIT's publication, which was a little earlier, banks can have a certain head start in implementing effective measures. Conversely, it can be very useful for insurance companies to benefit directly or through consolidated best practices from the experience of related industries.
Proactively acting companies that demonstrably have to meet a large number of requirements (both external and internal) through policies, controls, documentation and reporting will want to cover VAIT as part of an efficient "Control once, comply to many" strategy. And with the much more specific (but still interpretable) requirements of VAIT, some insurance companies will have a concrete need for action, be it the analysis of a reliable status quo or the identification and implementation of concrete implementation projects.
Put as a challenge: The VAIT are openly available to everyone and are published on the Internet, with an English version soon to be expected. Truly proactive CISOs in companies beyond the financial sector will take these as a starting point and challenge to the quality of their own, appropriate security and compliance. Beyond concrete regulatory requirements, but to secure their own company.