If you had $100,000 extra, would you spend it on prevention, detection, or response?\tA driving concern -- and daily occurrence -- for organizations is data breach. Unfortunately, the gap between perception and reality (read\u00a0here) creates a bias toward spending extra money on prevention.\tThe reality of data breach is when, not if.\tJust recently, Target got slammed (again) when it was reported they failed to act on alerts. What happened to Target is not unusual and only shows how current detection also suffers from the bias of prevention (here).\tPrevention bias creates blind spots in strategy and capability. For some companies, it's increasing the likelihood of breach by misdirecting attention and resources while dampening the ability of organizations to detect and respond effectively.\t\u201cOrganizations are neglecting response and neglecting to prepare for a response, \u201d according to Thomas Reagan, the Large Risk Underwriter for Beazley\u2019s Breach Response Insurance\tRefuting the narrative\tBloomberg Businessweek dedicating a brutal cover to lambasting Target for not doing enough\u00a0only reinforces the prevention bias.\tThe real story is different.\tDamballa lays out the logic (here) that 66% of security professionals admit a breach is inevitable. 59% admit that when prevention fails, their high value assets aren't safe. That suggests prevention is not enough.\u00a0\tYet cries for action and media reports serve mainly to reinforce the bias and cause companies to scramble for solutions aimed at prevention only.\tThis is not a sound strategy.\tAdopt a balanced approach to avoid the bias\tIn buildings safety, emphasis is divided between prevention, detection, and response. Smoke detectors and alarms are installed. Sprinklers and fire-suppression systems are common place. Even when mocked, organizations conduct regular fire drills and invest in training of people responsible to guide evacuations, if necessary.\tThe goal remains preventing a fire or other incident. However, in the event of a problem, the investment in detection and response generally improves the safety of people and protects property. Even in outlier situations, the investment pays off with a reduction in damage and harm.\tPrevention, detection, and response as a system\tThe problem with placing attention on the wrong things is that people don't know what to do. Without the right insights and training, they often end up making the wrong decision. Usually at a critical time, too.\tInstead of individual elements, consider prevention, detection, and response as parts of an integrated system. They are linked, each informing the other.\tMore mature organizations map and learn from the system. As a result, each part gets better. For example, detection can be tuned to look for known gaps in prevention. Common responses set the foundation for improved prevention and enhanced detection.\tThe role of better detection\tOne of the positive lessons afforded by the Target breach is the need to embrace and adopt better detection methods (here).\tAs Brian Foster, CTO of Damballa, explained, "You may get thousands of alerts a day. Many are false positives. Many are not important. The focus needs to shift from manually tracking alerts to automatically detecting actual infections that have made it into the network."\tThe challenge is scale. It's not reasonable (or likely) to keep adding more people to review alerts. The system needs to focus on providing actionable insights. People need the information necessary to properly triage -- and act -- on alerts.\tUltimately, context and correlation are key. The more insight provided in the alert about the risk, the confidence, and potential actions, the stronger the potential response.\tBreach Response: a new practice\tThe key is making sure the response process is measured, improved, and able to engage with others to enhance specific situations.\tResponding, successfully, to a breach is becoming a new discipline unto itself. Reagan explained that Beazley is building a team of experts dedicated solely to breach response. Their entire focus is on guiding -- and learning -- from each breach.\t\u201cBeazley is the first insurer that took the approach of developing a dedicated team [to handle breach response]. Companies were unable to make the best decisions for their organizations. They didn\u2019t know the notification procedures, they didn\u2019t know who to reach out to, and they made counterproductive decisions that made the breach worse.\u201d\tThis doesn't replace the current response teams and processes. Instead, this serves as a powerful enhancement - especially when it comes to handling breaches.\tDon't forget about the culture\tThe advantage to considering prevention, detection, and response as a system is the ability to harness the power of people and shift the overall culture of the organization. With this approach, the shortage of qualified people is only a perception (read more here).\tAdmittedly, getting this right requires a different approach to communication and training. Done right, it means people take a more active, personal role in prevention. They become an extension of the detection, tapping into the power of human intuition. And often, people do remarkable things when given the opportunity -- and guidance -- during response.\tAs a first step, consider the incident reporting\u00a0process and extending people a voice in the process (here).\u00a0\tMaking the right changes, right now\tStart by recognizing the prevention bias created blind spots in most organizations. Evaluate the current bias in your organization. Explore how prevention, detection, and response compare? How do they work together?\tConsider the system and the process(es):\t\t\tHow is it measured overall?\t\t\tHow is it improved (again, overall)?\tWhile considering the role and importance of detection and appropriate response, don't let the pendulum swing too far.\u00a0Prevention continues to play an essential role in reducing the likeliness and impact of data breach.\tThe key is finding the right balance. Focus on building a program that provides ever-improving prevention, mapped to better detection and response. It might just keep you out of the headlines.