2 Things Every CSO Should Know: Understanding The Difference Between Cybersecurity Prevention And Response.
Why is it important to know the difference? Protecting your organization’s data and client’s data is critical to business. It is dangerous to spend too much money and time on the wrong cybersecurity effort. Therefore, to make good business decisions when it comes to cybersecurity it is critical to understand the differences and their place, even if you are not technical.
# 1 Prevention: Prevention should be fundamental for any organization.
Illustration part 1 of 2: Imagine you are a bank owner and you need to architect your bank to keep the money safe. What would you do? No doubt you would implement many preventative measures such as adding a safe, locks, bullet proof glass, and cages. All these things are fundamental to stopping criminals.
Similar to our illustration, cybersecurity prevention measures are automated hardware and software systems to stop criminals via automation.
Cybersecurity Prevention Items
· Firewall · Endpoint protection (Antivirus) · Intrusion Prevention Services · Spam Filters · Bad IP and Geographical filters · Group Policies · Password Policies · Application Policies
So automating prevention is all I need, correct? Wrong. Take a look at the news – cybersecurity breaches are making the news daily. Post mortem investigations have found that the majority of organizations that are victims already have robust prevention measures in place. The problem is that criminals are able to outsmart hardware and software. They are using things like social engineering and stolen credentials to gain access to environments which are things that current prevention measures cannot stop.
#2 Security Response: Security Response requires detection of suspicious activity, investigation, and a response to stop the criminal. To be successful, security response is a combination of having the proper staff, experts, 24/7 coverage, and tools in place.
Illustration part 2 of 2: Let’s go back to the bank illustration. As the bank architect you have installed all preventative measures such as the safe and locks. Would you neglect installing an alarm system, camera system, and security guards? Not likely, all those things would be critical since preventative measures can be overcome or employees can be coaxed to giving a criminal access. An alarm system or camera system provides insight into what is going on and then security personnel can investigate and respond and stop the crime.
Similarly, in cybersecurity network traffic analyzers and security information event monitors (SIEM) can provide insight into anomalies, strange behaviors, and correlated investigations. Caution is needed – don’t be fooled. Installing these tools and simply waiting for them to provide alerts when you need them will inevitably result in a sea of white noise. Relying only on the tools could be compared to buying security cameras but not having personnel to monitor the camera feed, all it will do is record the breach after it is all over. Target is a perfect example of having the tools in place but not the proper human resources. Target has 2 separate alerts that should have tipped them off to what was happening. Unfortunately, they did not have a 24/7 team investigating all incidents as they happened.
In 2017, cybersecurity response tactics cannot be ignored. Statistics indicate that every company will be breached in the next 5-10 years. Perhaps you have heard the saying “it is not if but when”. Be prepared for when it happens to be able to respond quickly and protect your organization.