Cybersecurity demands an ounce of prevention and a pound of cure

What’s the best way to protect against security incidents? Most security professionals would agree with the old colloquialism that, “an ounce of prevention is worth a pound of cure.” The theory here is that if you lock down your IT infrastructure, applications, and sensitive data, you’ll make it much harder for bad guys from the start.To achieve this goal, a lot of organizations are embracing risk management. Risk management decisions are made on an IT asset by asset basis depending upon the level of exposure (i.e. threats and vulnerabilities) as well as the asset value (i.e. the relative significance each asset delivers in overall business operations). Armed with these metrics, organizations can make qualitative and quantitative risk management decisions such as risk acceptance, risk assignment or transfer (i.e. transferring potential risk to a 3rd party such as an insurance company), or risk reduction (i.e. mitigating risk by implementing security controls, policies, and procedures). In this case, a control is defined as a “mechanism used to restrain, regulate, or reduce vulnerabilities.” The trend toward risk management is illustrated in the recently-published ESG Research Report, U.S Advanced Persistent Threat Analysis. When asked about their organization’s security philosophy, 61% of security professionals responded, “my organization prioritizes information security policies, procedures, and technical controls to minimize the risk of a cybersecurity incident,” while 39% of respondents said, “my organization prioritizes information security policies, procedures, and technical controls for detecting and remediating cybersecurity incidents if/when we are attacked.” Clearly the “ounce of prevention” strategy is gaining momentum and that’s a good thing but only if security professionals continue to invest in and improve the “pound of cure.” Unfortunately, this is not always the case. ESG research indicates that many large organizations have numerous problems with regard to incident response. Specifically, they don’t have the right tools, analysis skills, or processes for event detection and remediation. Furthermore, there are almost no security incident response business processes in place. When a security breach occurs, the legal, PR, HR, and executive management team have very little guidance for what to do next. This leads to lost time which typically exacerbates the damages.My point here is simple. It’s critically important to build security into all aspects of IT as this WILL make any organization far less vulnerable to cybersecurity attacks. That said, it is equally important to assume that you will be attacked and make sure you are adequately prepared for this eventuality. Without best practices for risk management AND incident response, large organizations face far greater risks than they realize.