What\u2019s the best way to protect against security incidents? Most security professionals would agree with the old colloquialism that, \u201can ounce of prevention is worth a pound of cure.\u201d The theory here is that if you lock down your IT infrastructure, applications, and sensitive data, you\u2019ll make it much harder for bad guys from the start.To achieve this goal, a lot of organizations are embracing risk management. Risk management decisions are made on an IT asset by asset basis depending upon the level of exposure (i.e. threats and vulnerabilities) as well as the asset value (i.e. the relative significance each asset delivers in overall business operations). Armed with these metrics, organizations can make qualitative and quantitative risk management decisions such as risk acceptance, risk assignment or transfer (i.e. transferring potential risk to a 3rd party such as an insurance company), or risk reduction (i.e. mitigating risk by implementing security controls, policies, and procedures). In this case, a control is defined as a \u201cmechanism used to restrain, regulate, or reduce vulnerabilities.\u201d The trend toward risk management is illustrated in the recently-published ESG Research Report, U.S Advanced Persistent Threat Analysis. When asked about their organization\u2019s security philosophy, 61% of security professionals responded, \u201cmy organization prioritizes information security policies, procedures, and technical controls to minimize the risk of a cybersecurity incident,\u201d while 39% of respondents said, \u201cmy organization prioritizes information security policies, procedures, and technical controls for detecting and remediating cybersecurity incidents if\/when we are attacked.\u201d Clearly the \u201counce of prevention\u201d strategy is gaining momentum and that\u2019s a good thing but only if security professionals continue to invest in and improve the \u201cpound of cure.\u201d Unfortunately, this is not always the case. ESG research indicates that many large organizations have numerous problems with regard to incident response. Specifically, they don\u2019t have the right tools, analysis skills, or processes for event detection and remediation. Furthermore, there are almost no security incident response business processes in place. When a security breach occurs, the legal, PR, HR, and executive management team have very little guidance for what to do next. This leads to lost time which typically exacerbates the damages.My point here is simple. It\u2019s critically important to build security into all aspects of IT as this WILL make any organization far less vulnerable to cybersecurity attacks. That said, it is equally important to assume that you will be attacked and make sure you are adequately prepared for this eventuality. Without best practices for risk management AND incident response, large organizations face far greater risks than they realize.