Security Leadership #21: Security's Economic Reality Check
Are economic forces finally aligning with good security practices?
Welcome to Issue #21 of Security Leadership Weekly.
This week's stories reveal something remarkable: for the first time in years, the economics of cybersecurity are actually working in favor of defenders. From insurance premiums rewarding security hygiene to attackers choosing identity theft over complex infrastructure attacks, market forces are finally validating what we've been saying all along.
🛡️Tactical Challenges
eSentire's latest threat intelligence paints a sobering picture for security leaders evaluating cyber insurance strategy: identity attacks have surged 156% year-over-year and now comprise 59% of all security investigations. This increase is driven in part by sophisticated phishing-as-a-service platforms, such as Tycoon 2FA, which democratize advanced attacks for just $200-$ 300 per month, and by infostealer logs selling for as little as $10. BEC attacks specifically increased 60% year-over-year to 41% of all attacks in Q1 2025, and FBI data consistently shows BEC causes greater financial losses than ransomware, making this shift particularly relevant for insurance risk models.
This data validates why insurers have been tightening identity and access management requirements in underwriting; the ROI for identity-based attacks far exceeds traditional malware or vulnerability exploitation, creating strong incentives for attackers to focus on credential theft. This, in turn, means organizations without robust identity security architectures are becoming uninsurable risks. Investments in modern identity controls like phishing-resistant credentials, passkeys, and enhanced browser instrumentation will not only improve security posture but also position organizations favorably in insurance negotiations as carriers recognize the dramatic risk reduction these technologies provide against the fastest-growing attack vector in cybersecurity.
Here's what keeps me up at night: we've created a threat economy where a teenager with $300 can launch attacks that previously required nation-state resources. But here's what gives me hope: we've also created an insurance market that finally understands the difference between security theater and actual risk reduction.
Connor Jones has written a nice summary of the eSentire report for The Register, which can be found here.
US Cyber Insurance Premium Shrinking to Continue
Fitch Ratings' latest data showing a 6% decline in US cyber insurance premiums tells a story that should encourage security leaders: the market is finally rewarding good security hygiene instead of just panic-buying coverage after incidents. Despite the premium shrinkage, insurers posted their third consecutive year of profitable results with a 47% combined loss ratio, which (presumably) means the industry isn't bleeding money on claims. More importantly for us as security practitioners, this premium moderation is driven by fewer ransomware incidents, better executive cyber risk awareness, and insurers' stricter enforcement of cyber hygiene standards like MFA and regular patching - validation that investments in basic security controls are moving the needle on organizational risk.
For security leaders evaluating cyber insurance strategy, this data suggests we're entering a buyer's market where demonstrable security maturity translates directly to better coverage terms and pricing (see the eSentire report covered above). This trend indicates that it’s a good time to leverage your security program investments in insurance negotiations, but also prepare for increasingly sophisticated underwriting that will differentiate between organizations with real security programs versus those just checking compliance boxes. With global cyber premiums projected to hit $32 billion by 2030, the organizations that build genuine security capabilities now will be best positioned to access affordable coverage as the market continues maturing.
🤖 Emerging Solutions
Detecting and blocking phishing attacks in the browser, by Alex Henshall
Recently, I’ve been spending more time examining browser-based detection as a means of strengthening preventive controls and detections for identity attacks. This post on the Push Security blog details their approach, which is brilliant in its simplicity: instead of trying to detect domains or webpage content that attackers can easily change (using tricks like Cloudflare Workers to block analysis, hacked WordPress sites for reputation, or rotating URLs), they focus on the one thing attackers can't change - users have to enter their passwords for credential phishing to succeed. Push essentially "domain-binds" passwords, similar to how passkeys work, preventing users from entering their legitimate credentials into any site except the correct domain, while still providing visibility into attack attempts through secondary detection of cloned login pages and known phishing toolkits.
The before-and-after examples they provide here perfectly illustrate why traditional defenses fail; the same phishing kit that successfully evades email scanners and SWGs by redirecting to benign sites during analysis gets completely neutered when the browser simply won't allow users to enter their actual passwords. The password never leaves the user's browser, and the check is made using a shortened salted hash, which addresses the obvious privacy concerns while turning the browser into a remarkably effective last line of defense against the exact attack vector that's driving the surge in identity attacks we’re covering elsewhere in this issue. Love these elegant, persistent solutions that don’t involve trying to guess the latest delivery vector or attacker infrastructure. Watch this product space!
AT&T deploys new account lock feature to counter SIM swapping, by Greg Otto
AT&T finally joined the "maybe we should make SIM swapping harder" party by rolling out their Wireless Account Lock feature, which blocks all the usual SIM swap shenanigans like transferring numbers, swapping SIMs, and changing billing info (something T-Mobile, Verizon, and Google Fi have been doing for a while now). The feature can only be managed through AT&T's app on a registered device (so don’t lose your phone!), and it covers both individual and business accounts with granular controls for corporate admins who want to lock down specific lines. It might be a stretch to have included this under “Emerging Solutions,” but it’s a promising development for a part of our communications supply chain that’s often slow to innovate.
It’s also a timely step in the right direction, given ongoing social engineering/MFA bypass by Scattered Spider and others. But as security leaders know, carrier-level protections are just one layer in the "please don't let someone social engineer their way into my CEO's accounts" defense stack.
👤People and Processes
It’s not your fault, but it is your problem, by Sidney Shek
I really enjoyed this Substack article by Sidney on taking ownership of user problems. At the center of his argument is a “concierge mindset” that applies to both incidents and service integration. It goes beyond simply taking ownership of a problem, since the real issue may be outside of your system or sphere of control. This is where Systems Theory comes in (which we just talked about in the last issue of this newsletter) - we should be deliberate in attempts to minimize and control dependencies in any system we build to improve reliability and reduce complexity. Sidney has some practical advice here for doing so, and for resolving user issues in a scalable way. Definitely worth a read!
Career Longevity & The Don't Fire Me Chart, by Phil Venables
Phil Venables just dropped some career survival wisdom that every security leader needs tattooed on their brain: the infamous "Don't Fire Me Chart" that explains why so many CISOs get axed right when they're about to turn things around. The pattern is painfully predictable: you get hired to fix security problems, score some quick wins that make leadership happy, then start improving monitoring and risk assessments only to discover a bunch of previously unknown issues that make it look like you've made everything worse. Cue the executive panic and your inevitable replacement, who promptly repeats the same cycle because that's how actual security improvement works.
Venables' advice? Show this chart to leadership on day one and tell them that things will appear to get worse before they get better; discovering hidden problems through better instrumentation isn't failure, it's progress. The organizations that stick with their security leaders through this "uncanny valley" phase are the ones that eventually hit sustained lower risk levels. In contrast, the ones that keep cycling through CISOs never escape the hamster wheel of perpetual crisis. The “Don't Fire Me” chart isn't just career advice; it's a perfect illustration of why security economics have been broken for so long. Organizations often fire CISOs right when they start uncovering the real problems, then wonder why their insurance premiums continue to rise and incidents persist. The companies that break this cycle are the ones now benefiting from lower insurance costs and better security outcomes.
💡Connecting the Dots: Security finally makes financial sense
For the first time in my career, market forces are actually working for defenders:
Attackers are choosing the path of least resistance (identity) because it's economically rational.
Insurers are rewarding real security investments, rather than compliance alone.
Even traditionally slow-moving carriers are implementing basic protections, and engineering-based solutions that persist despite changing tools and infrastructure (read: things that are low on the pyramid of pain) will win the day.
But here's the catch: this economic alignment only works if you're playing the right game. Organizations that remain focused on vulnerability counts and compliance checkboxes will likely find themselves priced out of insurance markets and increasingly targeted by sophisticated identity attacks.