It’s encouraging that many organizations have become aware of security of their networks and computer resources. This awareness is sometimes triggered by breach or fraud headlines in tech journalism, which leads to concern and curiosity. There is one type of organization, however, that has me greatly concerned.
It is immediately apparent when I’m speaking with a company that has suffered from an attack because their questions are often highly focused. But there is another category of organizations that I have spoken to that, for the time being, wish to remain reactive, rather that proactive, in their computer security posture. This is highly concerning.
Every organization has to work within a budget and every dollar spent needs to be justified. What some organizations have told me is that they need to suffer an attack before they can justify expenditure on security. This is literally the equivalent of waiting for a crisis.
My simple question to these organizations is, “Can you guarantee to me that you have not already been successfully attacked?” The answer usually is something similar like, “We have not seen any evidence.” I then ask, “How do you gather that evidence?”
I have not yet received an answer to that question, which leads me to think that there are some important messages that need to stated clearly to any organization that has a computer network and values their sensitive or important resources.
Computer security is not easy. A reactive strategy is not a defensive strategy at all and I strongly doubt that in the long run it will save on expenditure. Organizations that are waiting for an attack to justify expenditure probably think that they can quickly buy a silver bullet that will protect them.
This does not exist.
Good security governance and security culture takes time to develop in an organization. It cannot be obtained quickly as a reaction to an attack. There are some good security tools in existence today, but architecting a layered defense takes time. Good security defenders who can utilize these tools are in high demand and hard to hire quickly. A reactive approach to cybersecurity is a critical mistake.
What do all of the organizations I speak to have in common? Each has a computer network and many valuable resources attached to it. Whether it’s privacy data or intellectual property or money, there are malicious attackers out there who want to steal it. Organizations need to defend their assets and this won’t happen by itself. If your organization is waiting for a crisis to justify expenditure, then it’s time to rethink your strategy.