Incident Response Services, Risk Assessment, And Bean Counters
I've been to presentations with incidence response services that include monetary insurance, as well as forensics, public relations (damage control), and such. It was much food for thought.
Consider that risk assessment is something too few companies do. They may have a sense of what their some of their data assets are, but way too few have actually assessed the risk or responded to it and identified all of the assets adequately.
And, with too little emphasis on risk assessment, you can easily find infosec zealots, that while well meaning, often flap their jaw about what tech is needed for infosec without understanding cost-benefit trade offs. But, such trade offs can only be evaluated with a proper risk assessment. I've seen too many IT teams struggle with the bean counters in getting tech because they didn't understand this.
Then consider that the insurance industry is the founder of formalized risk underwriting, with a much richer history and contribution to our modern market and concept of money than most be are aware. So, the prediction that I've been trying to sell is this: when this history becomes better understood in the infosec industry, security standards will start to get fleshed out at a much better level than they are now, and insurance companies will then be able to rate your company accordingly. That means that the bean counters will be able to set an infosec budget based on market standards measured not just in terms of risk assessment but how much insurance, in terms of money, a company can get for what price. And, that's a free-market viewpoint that I think should work for everyone--conservatives, centrists, and liberals.