Prevention vs Resilience

1
2601 views

If you have a dollar to spend on cybersecurity, how would choose to allocate it between prevention (anti-virus, anti-malware, IPS/IDS, pen-testing and compliance audits, etc.) and resilience (backups, training, tabletop exercises, incident response planning, etc.)

Jay Brodsky
78 months ago

17 answers

2

A "simple" question, it is not - Security has few that are, particularly when it comes to the question of where to invest. I do agree that you should ask for more money as a first ploy. Failing that....
The true answer depends on the strategy you have in mind (and yes, your question does indicate you have one):
Short-term: if you want an immediate fix to gain protection NOW - clearly your best course is something preventive.
Long-term: If you are working on a long-term programmatic protection and stability plan - go for resilience.
If these objectives are not mutually exclusive, I would spend the dollar this way:
Year One: Short/Long: 70/30 (for quick protective ramp-up, and L-T strategy initiation)
Year Two: Short/Long: 40/60 (completion of S-T elements, beginning of L-T implementation)
Year Three: Short Long: 25/75 (maintenance of S-T elements, testing and progressive roll-out of L-T)
By Year 5, you should be in Sustaining Engineering Mode, spending your buck as needed on maintenance and tune-ups, which should include Incident Response, btw.

Ross A. Leo
78 months ago
1

I'd ask for alot more money.

Gary Feinstein
78 months ago
1

Resiliance almost every time, the dirty secret of cybersecurity is that given enough time every organization will be conpromised. Assuming you have encrypted your data well and have good key management practices then your primary mission is to keep running - always operate on the assumption you are already penetrated becuase you are - unless you dont have employee's.

Eoin Fleming
78 months ago
1

I carry the firm belief that resilience is the new prevention in the sense that getting rid off the root causes thus being able to abstain from hindrances pertaining to cyber security issues before their occurances is key to saving energy and time as regards setting up a state-of-the-art line of defences. To illustrate; no anti-virus or pen-testing may function to the full intended extent in the absence of the required back up and training schemes as the indispensable features beneath any prevention subject. Therefore, without neglecting the importance of prevention, I would like to highlight the resilience as the foremost and quite evidently foreshadowing concept when it comes to meaningful outcomes from a cyber security frame.

Gokhan Gokceoglu
78 months ago
Reading this, I find the first statement is contradicted by the second. Or, the second statement diminishes the first by giving more importance to prevention over resilience. - Ross A. 78 months ago
On the contrary, my intention is to underline the mutually indispensable relationship between the two while emphasizing the importance of resilience over prevention as the determinant. Needless to say, I have utmost respect for any kind of criticism. Thanks and Regards. - Gokhan 78 months ago
Thank you - that clarifies things for me very well. And now that I understand your position better, I see that we are indeed in agreement. - Ross A. 78 months ago
1

Some additional thoughts:
Resilience is defined as the capacity to recover quickly from difficulties; toughness: alternatively, the ability of a substance or object to spring back into shape; elasticity. Prevention supports this quality, but does not by itself achieve it.
Cybersecurity programs contain many components that contribute various actions or states. In combination, they achieve the qualities of resilience, reliability, recoverability, resistance, redundancy and robustness. The commonly employed methods and technologies all contribute to their achievement by performing their intended actions: most perform two or more. Preventive is one type and contributes greatly to infrastructure resiliency, as do the other types of detective, corrective, etc. They integrate, making their sum greater. None displaces any other but rather augments and amplifies it.
One must bear in mind that events and actions not motivated by human actors can largely be overcome by controls and coutermeasures. The human minds that act as adversaries can understand anything the defenders are going to come up with - this is axiomatic. None of the qualities or actions have ever proven to be sufficient alone, nor will they ever.
Achieving "resilience" is AN answer, but not "THE" answer. It is a "qualitative result", not a "creative action".

Ross A. Leo
78 months ago
1

NB: this is a short write-up and does not provide a full view of the issue.
I have an audit background always moving to areas where I can be more creative, therefore less rule based environments. I currently find myself in the GRC space and are slowly moving from Risk to Strategy. I find that today more rules are created and because many organisational management teams from my generation (so i am a bid older) are not fully aware of the risks in the cyber area of their business. Clever consultants excite them with longwinded “around-the-computer" policies and procedures, which only protects you if the people follows them (As one of the previous commentators already noted - you have already been hacked - you have people and they are not always (sorry never) fully predictable when they have your data)
So, to cut it short, if i am the CIO I would convince business that I need to spend my dollar in the short term mostly on prevention, but "through-the-computer" monitoring with a long-term view of getting business to understand that they should be resilient when the real hack happens. from the start split the dollar into prevention and then resilience, with increased resilience spending (From a budgeting point of view it would be great, cause the CIO spending would decrease and the business spending (this not a service area) increases to ensure resilience :)

Ernst Snyman
78 months ago
1

Like healthcare, cybersecurity needs to get out of its own bureacracy and inefficiencies. Disruption needed in both.

Randy Vogenberg, PhD
77 months ago
As stated, Randy, I find the terse quality of your comment unhelpful and unrelated to the topic presented in the question asked. I also see no relationship in the context of your statement between healthcare and cybersecurity, especially considering I many years experience in each area. Could you be a little clearer on the point you are actually trying to make? - Ross A. 77 months ago
1

I think part of the problem with a question like the initial one asked by Mr. Brodsky is that it appears simplistic when the subject it is addressing is quote the opposite. The answers "Security" must find require constantly balancing business priorities with the "threat of the moment" - this act is both difficult and complexity.
I also think part of solving this is to set a fairly firm set of priorities organized around the business to lay a foundation and then (within certain limits) allow "Security" to evolve and adapt to the changing threat-risk landscape, while still keeping those business priorities foremost.
Security and Business must co-exist - of that there can be no doubt. But each must move toward a compromise position with the other until the optimal result is found. Little in this relationship will remain static, nor should it - the universe they exist in is not static. Business remains the driver and the definer of the priorities nonetheless.

Ross A. Leo
77 months ago
1

both are needed strategies , back up and upgrades and using passwords changes and antivirus also running intrusion protection exercises and have IT security policies in place which explain internal users basics about security and protection

amit patel
75 months ago
1

Considering what could be spent on cyber defense, there are low-cost actions small businesses can take to make them a less attractive target. Companies can improve their security posture by assessing and hardening their network. This includes segregating the internal and external network with firewalls, removing sensitive information from public facing portions of the network, maintaining logs and regular system backups, disabling unnecessary services, and, most importantly, regularly updating and patching software and applications. Many cybercriminals are opportunistic, seeking systems with known vulnerabilities to exploit. By properly configuring and patching your systems, you can make yourself a less attractive target to attackers.

David Barckhoff-Sag-Aftra/Producer, Director
74 months ago
1

Last September, the Department of Homeland Security ordered all federal agencies to cease using Kaspersky products because of the threat that Kaspersky’s products could “provide access to files.”
A month later, The New York Times reported that the Homeland Security directive was based, in large part, on intelligence shared by Israeli intelligence officials who successfully hacked Kaspersky Lab in 2014. They looked on for months as Russian government hackers scanned computers belonging to Kaspersky customers around the world for top secret American government classified programs.
In at least one case, United States officials claimed Russian intelligence officials were successful in using Kaspersky’s software to pull classified documents off a home computer belonging to Nghia H. Pho, an N.S.A. developer who had installed Kaspersky’s antivirus software on his home computer. Mr. Pho pleaded guilty last year to bringing home classified documents and writings, and has said he brought the files home only in an attempt to expand his résumé.

David Barckhoff-Sag-Aftra/Producer, Director
74 months ago
1

Before I spend the money for the need, I would require to understand the actual situation. So before I plan actions, I need to elaborate a risk assessment.

Patrick Henz
64 months ago
My plan usually is identify the need and assess the current situation, then move on. Whitout any of the previous ones is though to understand how to act, it could be more a reactive activity and it could work or not. - Paolo 64 months ago
0

10% Tmvi NEXT PRACTICES prevention and 90% TMVi NEXT PRACTICES resiliency. best practices are too late.

June Klein
78 months ago
June makes an excellent point: best paractices really are too late. Percentages would vary based on the timing and context, but we agree on the essential emphasis. - Ross A. 78 months ago
0

If I can only choose one it would be resilience. An argument can be made that cyber security should be a sub-discipline of resilience but I'll leave that discussion to greater mineds than mine.

Dr. Char Sample
78 months ago
0

I would say resilience, backups and training trying to avoid future issues, incident response planning in case these happen.

Paolo Beffagnotti
78 months ago
0

While the aforementioned steps will help reduce the likelihood of an incident, you may not prevent all attacks. Understanding the inevitability of an attack, it is prudent to invest some resources on a comprehensive cyber incident response and remediation plan before an attack occurs. This plan should identify critical roles and responsibilities as well as a logical plan to contain and mitigate a cyber threat so you can restore your systems and business operations as quickly as possible. A third-party mitigation company can assist you with this task. The value of a response plan cannot be overstated. Not having an agreed upon approach will likely lead to a longer down time and potentially costly mistakes. Failure to take these kind of steps has made information loss the most expensive consequence of cybercrime.

David Barckhoff-Sag-Aftra/Producer, Director
74 months ago
0

How Antivirus Software Can Be Turned Into a Tool for Spying https://www.nytimes.com/2018/01/01/technology/kaspersky-lab-antivirus.html - 

David Barckhoff-Sag-Aftra/Producer, Director
74 months ago

Have some input?