I am surprised by the number of articles published this past year and with security experts who have subscribed and even promoted the mantra “cyber security prevention is dead.” You can easily find articles and opinions by googling “cyber prevention is dead.” These industry authorities who recommend organizations accept the above mantra unfortunately may influence security executives to spend less on preventive solutions in favor of Incident Response (IR) solutions. This could have dangerous consequences for the security of those organizations. These experts are not saying we should increase security spending in order to better detect security incidents. Instead, they encourage decision makers to “shift spending from prevention towards IR.”
I challenge that view. Research tells me that organizations have done a poor job at cyber security protection and this has led to most major data breaches. Cyber security defense solutions are still very alive and crucial to avoiding breaches. I argue this opinion using mathematical calculations within my recent whitepaper “Doing the Math: Lessons Learned from the JPMorgan Chase and Anthem Security Breaches.”
A security incident is a compromise of an information asset. A data breach is a security incident where the compromise involves sensitive data disclosure. Intuitively, it stands to reason that the more an organization experiences security incidents, the more likely they will experience one or more data breaches.
Cyber security defense solutions are those which are designed to proactively protect the organization from security incidents. These include far more than antivirus solutions; they also include firewalls, intrusion detection/prevention (IDS/IPS), data loss prevention, vulnerability management, and much more.
In contrast, IR security solutions are designed to detect and respond to security incidents. Ideally, IR solutions would automatically detect an incident rapidly, and immediately or automatically annihilate the threat, such that a data breach would be averted. However, IR technology is not yet sophisticated enough. It certainly is required in order to detect and respond to incidents but it cannot replace preventive security solutions. Additionally, IR solutions require tender love and care. IR does not reduce incidences; in most cases it simply alerts to these. IR solutions require great oversight to deploy and maintain and human interaction is necessary to respond to the alerts.
If we observe the data breach landscape from 2014-2015, we see organizations are often lax when it comes to security prevention. Take the case of the US Office of Personnel Management (OPM) data breach which resulted in a loss of 21.5 million records of personal and identifiable information. A report filed by the Office of the Inspector General concluded “OPM did not maintain a comprehensive inventory of servers, databases and network devices” In fact, auditors were unable to tell if OPM even had a vulnerability scanning program in place. I personally would not recommend OPM spend less on preventive solutions when I find it difficult to see good prevention in the first place.
Cyber security prevention is certainly not dead. The more effective preventive solutions are in place the less likely an organization will experience a security incident, and consequently, the less likely a data breach will occur.
Fortunately, I am not alone in my concerns. Not all experts subscribe to the view “cyber prevention is dead” and I’ve been very encouraged to read a recent Forrester paper which aligns with my perspective on this and which is titled “Predictions 2016: Cybersecurity Swings to Prevention.” I invite you to read Forrester’s insight as well as my whitepaper for more information and education on the continued importance of preventative security solutions.