Let’s start with exploring the status-quo – preventative controls.These by their nature must be automated. As explanation, for a control to stop something happening – to prevent it in real time, it must rely on a series of pre-defined rules that dictate ‘if ‘x’ occurs then ‘y’ is the response. Either that or it simply stops something happening at all without the appropriate permissions.
In this locked-down world of prevention, these rules and controls can lead to frustration as the ‘business blocking’ security team is perceived as a choke-point where anything non-standard must be manually approved.
But what about a shift from prevention to detection?
This would mean preventative controls could be relaxed because the security team were more confident in its ability to spot and rapidly respond to attacks as they happened? This confidence could allow the engineering team to spin up an extra service, or download trial software, without having to go through IT first because, should there be any nasty repercussions, these would be picked up and remedial action taken. The result – enabling, not blocking.
Point of Differentiation
Examining this issue in a different light, when was the last time the security team spoke with the sales director? Did they perceive security to be something out of their sphere and just expect it to happen – or worse, to be a straightforward cost center?
The budgetary shift from prevention to detection presents an opportunity for the sales teams to demonstrate to customers that the business is not slow to respond to the changing threat landscape, and is actually proactive in embracing the current thinking in cyber-security. With more and more customers demanding more than just ‘compliance’ in their procurement processes, how this is understood by the commercial teams can enable them to add points of real differentiation from competitors. The result is security is seen not just a cost-center, but a USP.
Return on investment
The last element is how can the business perceive security budget to be value for money, if it is only spent on prevention? If the only measure is what can be prevented, how many attacks get through that can’t be seen – with the bigger risk of how long they persist undetected?
Detection, such as with EDR tools and proactive threat hunting, gives vast visibility across the estate and reveals attacks as they happen across multiple vectors and attack paths. Armed with this knowledge, the appropriate preventative controls can be put in place in-line with proven risk, and the effectiveness of these controls can then be measured and justified over time against a known baseline – applying dynamic expenditure, only when and where needed.
As cyber-security budgets continue to grow, it is essential that perceptions continue to change. The shift from prevention, to detection and response, could be exactly what is needed.