Ok. Maybe it’s a little. As cyber-attacks and cyber-terrorism make news daily, we are often treated to the same cyber-security maxims you hear at every keynote address: “Your security program should be proactive not reactive.” Who doesn’t want to be proactive? It sounds good at board meetings and strategic conversations with leadership. However, the hype around attack prevention has led to a lack of maturity in many organizations’ incident response programs.
The “proactive” rallying cry keeps CISOs focused on investigating new ways to predict, isolate, and minimize the attack. In a perfect world, a proactive approach would have stopped Wannacry* and you wouldn’t see a hundred blogs by security vendors asserting they had the magic pill to prevent attacks. But a highly leveraged proactive plan can never be perfect, regardless of the number of tools. Most companies say they patch everything in 30 days, but there are always things that get missed. If you accept that a breach is inevitable, the most important action you can take is creating a first-rate security incident response program. Fast response can reduce risk when prevention fails, and it will.
In a recent Rsam webinar, CISO Bryan Timmerman, discussed why organizations often struggle with effective response and how to overcome common challenges. He doesn’t advocate tossing the baby out with the bathwater when it comes to your prevention strategy. Rather, he suggests that excellent incident response can be a real “game changer.” And if the board questions your security strategy, just tell them you’re taking a proactive approach to reactive security.