Writing this from a vantage point above the main exhibition floor at Infosecurity Europe, the day before the industry flagship opens, the concept of ‘security set-up’ takes on a whole new meaning.
Just as the red carpet is being rolled out, rather literally actually, for security professionals at London’s Olympia, it seems rather appropriate to look at the topic of preparedness. In particular, just how ready are the end-users of the technology that Infosecurity Europe will present?
Looking at the subject, a new study by Pierre Audoin Consultants, co-sponsored by Resilient Systems, has revealed what may be some alarming pointers as to a lack of preparedness among companies in the European Union.
PAC believes that it has uncovered a “notable” gap in incident response (IR) preparedness. Indeed the stand-out of the report was that, even though as many as 86% of respondents feel that they’re prepared to face a cyber-attack, almost two-fifths of them have no IR plan in place. Additionally, only just under a third of those with IR plans test and update them regularly, defined as being more than once a month.
Scary stuff given that along with death and taxes, data breaches can probably now be counted as one of modern life’s few certainties.
"Along with death and taxes, data breaches can probably now be counted as one of life’s few certainties"
Perhaps even worse is the fact that the survey also showed us companies — and in this case the sample comprised 200 CISOs/CIO/VP ITs in the UK, France and Germany from firms with more than 1000 employees — can take up to six months to recover from a cyber-attack. Can businesses really expect to prosper under those circumstances?
Should firms then be re-allocating resources to dealing with the aftermath of an incident rather than in primary protection? Yes they should, argues Resilient CEO John Bruce. “Currently, of the three classic pillars in security — prevention, detection and response — businesses spend more than 75% of their security budget on prevention and detection technology. But spend is moving more towards IR capabilities – growing from 23% today to 39% over the next two years. If spent wisely, this will result in a speedy and significant reduction in the impact that security incidents can have.”
It’s a point also taken up by Barclays Group CISO Troels Oerting. Commenting on the report, he said: “With incident response more critical than ever, businesses need to ensure their IR processes are effective, consistent, and efficient – and it requires a daily commitment to assessment and improvement… This study shows teams need to invest more in technology and platforms that help them manage IR better, every day.”
But maybe it actually shows something more profound: That it’s more important how your company is prepared to react to a breach, than how prepared it is to repel threats at all costs. And it also returns to a theme about the most import aspect in your company’s security set up: your staff. In particular, how well they are capable of dealing with the inevitable.
And once the red carpet is fully laid down, Infosecurity Europe promises to offer ways in which you can evaluate how to better recognize and close breaches and learn to be in better shape for what you will receive. That is, be prepared.