Prevention vs Resilience
A "simple" question, it is not - Security has few that are, particularly when it comes to the question of where to invest. I do agree that you should ask for more money as a first ploy. Failing that....
The true answer depends on the strategy you have in mind (and yes, your question does indicate you have one):
Short-term: if you want an immediate fix to gain protection NOW - clearly your best course is something preventive.
Long-term: If you are working on a long-term programmatic protection and stability plan - go for resilience.
If these objectives are not mutually exclusive, I would spend the dollar this way:
Year One: Short/Long: 70/30 (for quick protective ramp-up, and L-T strategy initiation)
Year Two: Short/Long: 40/60 (completion of S-T elements, beginning of L-T implementation)
Year Three: Short Long: 25/75 (maintenance of S-T elements, testing and progressive roll-out of L-T)
By Year 5, you should be in Sustaining Engineering Mode, spending your buck as needed on maintenance and tune-ups, which should include Incident Response, btw.
Resiliance almost every time, the dirty secret of cybersecurity is that given enough time every organization will be conpromised. Assuming you have encrypted your data well and have good key management practices then your primary mission is to keep running - always operate on the assumption you are already penetrated becuase you are - unless you dont have employee's.
I carry the firm belief that resilience is the new prevention in the sense that getting rid off the root causes thus being able to abstain from hindrances pertaining to cyber security issues before their occurances is key to saving energy and time as regards setting up a state-of-the-art line of defences. To illustrate; no anti-virus or pen-testing may function to the full intended extent in the absence of the required back up and training schemes as the indispensable features beneath any prevention subject. Therefore, without neglecting the importance of prevention, I would like to highlight the resilience as the foremost and quite evidently foreshadowing concept when it comes to meaningful outcomes from a cyber security frame.
Some additional thoughts:
Resilience is defined as the capacity to recover quickly from difficulties; toughness: alternatively, the ability of a substance or object to spring back into shape; elasticity. Prevention supports this quality, but does not by itself achieve it.
Cybersecurity programs contain many components that contribute various actions or states. In combination, they achieve the qualities of resilience, reliability, recoverability, resistance, redundancy and robustness. The commonly employed methods and technologies all contribute to their achievement by performing their intended actions: most perform two or more. Preventive is one type and contributes greatly to infrastructure resiliency, as do the other types of detective, corrective, etc. They integrate, making their sum greater. None displaces any other but rather augments and amplifies it.
One must bear in mind that events and actions not motivated by human actors can largely be overcome by controls and coutermeasures. The human minds that act as adversaries can understand anything the defenders are going to come up with - this is axiomatic. None of the qualities or actions have ever proven to be sufficient alone, nor will they ever.
Achieving "resilience" is AN answer, but not "THE" answer. It is a "qualitative result", not a "creative action".
NB: this is a short write-up and does not provide a full view of the issue.
I have an audit background always moving to areas where I can be more creative, therefore less rule based environments. I currently find myself in the GRC space and are slowly moving from Risk to Strategy. I find that today more rules are created and because many organisational management teams from my generation (so i am a bid older) are not fully aware of the risks in the cyber area of their business. Clever consultants excite them with longwinded “around-the-computer" policies and procedures, which only protects you if the people follows them (As one of the previous commentators already noted - you have already been hacked - you have people and they are not always (sorry never) fully predictable when they have your data)
So, to cut it short, if i am the CIO I would convince business that I need to spend my dollar in the short term mostly on prevention, but "through-the-computer" monitoring with a long-term view of getting business to understand that they should be resilient when the real hack happens. from the start split the dollar into prevention and then resilience, with increased resilience spending (From a budgeting point of view it would be great, cause the CIO spending would decrease and the business spending (this not a service area) increases to ensure resilience :)
I think part of the problem with a question like the initial one asked by Mr. Brodsky is that it appears simplistic when the subject it is addressing is quote the opposite. The answers "Security" must find require constantly balancing business priorities with the "threat of the moment" - this act is both difficult and complexity.
I also think part of solving this is to set a fairly firm set of priorities organized around the business to lay a foundation and then (within certain limits) allow "Security" to evolve and adapt to the changing threat-risk landscape, while still keeping those business priorities foremost.
Security and Business must co-exist - of that there can be no doubt. But each must move toward a compromise position with the other until the optimal result is found. Little in this relationship will remain static, nor should it - the universe they exist in is not static. Business remains the driver and the definer of the priorities nonetheless.
Considering what could be spent on cyber defense, there are low-cost actions small businesses can take to make them a less attractive target. Companies can improve their security posture by assessing and hardening their network. This includes segregating the internal and external network with firewalls, removing sensitive information from public facing portions of the network, maintaining logs and regular system backups, disabling unnecessary services, and, most importantly, regularly updating and patching software and applications. Many cybercriminals are opportunistic, seeking systems with known vulnerabilities to exploit. By properly configuring and patching your systems, you can make yourself a less attractive target to attackers.
Last September, the Department of Homeland Security ordered all federal agencies to cease using Kaspersky products because of the threat that Kaspersky’s products could “provide access to files.”
A month later, The New York Times reported that the Homeland Security directive was based, in large part, on intelligence shared by Israeli intelligence officials who successfully hacked Kaspersky Lab in 2014. They looked on for months as Russian government hackers scanned computers belonging to Kaspersky customers around the world for top secret American government classified programs.
In at least one case, United States officials claimed Russian intelligence officials were successful in using Kaspersky’s software to pull classified documents off a home computer belonging to Nghia H. Pho, an N.S.A. developer who had installed Kaspersky’s antivirus software on his home computer. Mr. Pho pleaded guilty last year to bringing home classified documents and writings, and has said he brought the files home only in an attempt to expand his résumé.
While the aforementioned steps will help reduce the likelihood of an incident, you may not prevent all attacks. Understanding the inevitability of an attack, it is prudent to invest some resources on a comprehensive cyber incident response and remediation plan before an attack occurs. This plan should identify critical roles and responsibilities as well as a logical plan to contain and mitigate a cyber threat so you can restore your systems and business operations as quickly as possible. A third-party mitigation company can assist you with this task. The value of a response plan cannot be overstated. Not having an agreed upon approach will likely lead to a longer down time and potentially costly mistakes. Failure to take these kind of steps has made information loss the most expensive consequence of cybercrime.
How Antivirus Software Can Be Turned Into a Tool for Spying https://www.nytimes.com/2018/01/01/technology/kaspersky-lab-antivirus.html -