Our bias for breach prevention is causing blind spots

If you had $100,000 extra, would you spend it on prevention, detection, or response?

A driving concern — and daily occurrence — for organizations is data breach. Unfortunately, the gap between perception and reality (read here) creates a bias toward spending extra money on prevention.

The reality of data breach is when, not if.

Just recently, Target got slammed (again) when it was reported they failed to act on alerts. What happened to Target is not unusual and only shows how current detection also suffers from the bias of prevention (here).

Prevention bias creates blind spots in strategy and capability. For some companies, it’s increasing the likelihood of breach by misdirecting attention and resources while dampening the ability of organizations to detect and respond effectively.

“Organizations are neglecting response and neglecting to prepare for a response, ” according to Thomas Reagan, the Large Risk Underwriter for Beazley’s Breach Response Insurance

Refuting the narrative

Bloomberg Businessweek dedicating a brutal cover to lambasting Target for not doing enough only reinforces the prevention bias.

The real story is different.

Damballa lays out the logic (here) that 66% of security professionals admit a breach is inevitable. 59% admit that when prevention fails, their high value assets aren’t safe. That suggests prevention is not enough. 

Yet cries for action and media reports serve mainly to reinforce the bias and cause companies to scramble for solutions aimed at prevention only.

This is not a sound strategy.

Adopt a balanced approach to avoid the bias

In buildings safety, emphasis is divided between prevention, detection, and response. Smoke detectors and alarms are installed. Sprinklers and fire-suppression systems are common place. Even when mocked, organizations conduct regular fire drills and invest in training of people responsible to guide evacuations, if necessary.

The goal remains preventing a fire or other incident. However, in the event of a problem, the investment in detection and response generally improves the safety of people and protects property. Even in outlier situations, the investment pays off with a reduction in damage and harm.

Prevention, detection, and response as a system

The problem with placing attention on the wrong things is that people don’t know what to do. Without the right insights and training, they often end up making the wrong decision. Usually at a critical time, too.

Instead of individual elements, consider prevention, detection, and response as parts of an integrated system. They are linked, each informing the other.

More mature organizations map and learn from the system. As a result, each part gets better. For example, detection can be tuned to look for known gaps in prevention. Common responses set the foundation for improved prevention and enhanced detection.

The role of better detection

One of the positive lessons afforded by the Target breach is the need to embrace and adopt better detection methods (here).

As Brian Foster, CTO of Damballa, explained, “You may get thousands of alerts a day. Many are false positives. Many are not important. The focus needs to shift from manually tracking alerts to automatically detecting actual infections that have made it into the network.”

The challenge is scale. It’s not reasonable (or likely) to keep adding more people to review alerts. The system needs to focus on providing actionable insights. People need the information necessary to properly triage — and act — on alerts.

Ultimately, context and correlation are key. The more insight provided in the alert about the risk, the confidence, and potential actions, the stronger the potential response.

Breach Response: a new practice

The key is making sure the response process is measured, improved, and able to engage with others to enhance specific situations.

Responding, successfully, to a breach is becoming a new discipline unto itself. Reagan explained that Beazley is building a team of experts dedicated solely to breach response. Their entire focus is on guiding — and learning — from each breach.

“Beazley is the first insurer that took the approach of developing a dedicated team [to handle breach response]. Companies were unable to make the best decisions for their organizations. They didn’t know the notification procedures, they didn’t know who to reach out to, and they made counterproductive decisions that made the breach worse.”

This doesn’t replace the current response teams and processes. Instead, this serves as a powerful enhancement – especially when it comes to handling breaches.

Don’t forget about the culture

The advantage to considering prevention, detection, and response as a system is the ability to harness the power of people and shift the overall culture of the organization. With this approach, the shortage of qualified people is only a perception (read more here).

Admittedly, getting this right requires a different approach to communication and training. Done right, it means people take a more active, personal role in prevention. They become an extension of the detection, tapping into the power of human intuition. And often, people do remarkable things when given the opportunity — and guidance — during response.

As a first step, consider the incident reporting process and extending people a voice in the process (here). 

Making the right changes, right now

Start by recognizing the prevention bias created blind spots in most organizations. Evaluate the current bias in your organization. Explore how prevention, detection, and response compare? How do they work together?

Consider the system and the process(es):

• How is it measured overall?
• How is it improved (again, overall)?

While considering the role and importance of detection and appropriate response, don’t let the pendulum swing too far. Prevention continues to play an essential role in reducing the likeliness and impact of data breach.

The key is finding the right balance. Focus on building a program that provides ever-improving prevention, mapped to better detection and response. It might just keep you out of the headlines.