Should organizations focus more on incident response rather than prevention?

1k views1 Upvote3 Comments

CISO in Software, 51 - 200 employees
We're still talking a lot about perimeter security and endpoint security, etc., but the critical question is, what do we do after a breach happens? Lateral movement happens after there’s an intrusion, so why are networks still designed in such a way where, when somebody gets compromised, bad actors can go wherever they want in the network and do whatever they want? It doesn't make any sense.
Founder/Chairman/CTO in Telecommunication, 201 - 500 employees
Security leaders should reframe the conversation to establish that everyone will get hacked eventually. Work on the assumption that every organization and every computer system will experience some degree of intrusion or unintended activity that could be seen as malicious. Instead of thinking about how you can keep that from ever happening and considering it a failure if it ever does happen, you flip that story: we know that an intrusion is likely to happen at some point in the future, so how do we stay on top of that? How do we delay it as much as we possibly can? How do we contain the blast radius?

Think about it in terms of Maslow's hierarchy. You have core fundamentals that are imperfect, of course: if you have to restore to a backup, you will lose anything between when that backup was made and when you do the restore. But if, as an organization, you have full confidence in that as a baseline, then you have more bandwidth available to get into the things that are higher up the pyramid.

We've tried to do that in terms of building Bugcrowd, because we're a security company that deliberately invites a bunch of hackers onto its platform and then asks them to try to break into our systems. As you can imagine, there's quite a bit that goes on and we've had to design the ability to withstand that and contain it from scratch. Drawing on the approach that we took, you just cover the basics to make sure that they're absolutely rock solid and then return to them to make sure that they haven’t atrophied over time. Once you have confidence in that you move up the stack. I'm not sure how well that scales to a company with 100K employees but it seems to check out as a principal.
CIO, Self-employed
If you look at incident response from the NIST 800-61 Rev-2 perspective, they are not mutually exclusive. Preparing for an incident is the first phase of the incident response lifecycle and requires secure architecture and identification of variables that should be evaluated a-priori to an incident. I think you can and should do both. 

Content you might like

Early Stages - the security activities haven't been planned/deployed yet.15%

Middle stage - we've planned security activities, but we've only partially deployed them.60%

Late-middle stage - we've deployed the majority of our security activities and it's keeping up with threats.19%

Mature stage - all security activities are deployed and are proactively detecting threats.4%


2.1k views1 Upvote

Once a month7%

Once a quarter43%

Once every 6 months17%

Once a year15%

We do not run ransomware simulations currently.16%

Other (comment below)0%


1.6k views1 Upvote

CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
42.3k views131 Upvotes319 Comments