Does incident prevention always have to be expensive?

"We are not going to bother locking the doors any more and we are going to spend a fortune on alarm systems. That just doesn’t make any sense to me."

Greg van der Gaast, Head of Information Security at the University of Salford  talks to Jeremy Swinfen Green about how preventing cyber security incidents is generally a lot less expensive than responding to them.

Greg van der Gaast will be speaking at the teissR3 | Resilience, Response and Recovery summit taking place online, 15 - 24 September.

This year, the very popular teissR3 event focuses on how to improve your organisation’s cyber resiliency and adopt best-practice in incident response and crisis management in a post-COVID-19 world. Space is limited. Register your free place by clicking here.

Video transcript

Does incident prevention always have to cost a large amount of money? What do you do on a limited budget?

See, I hear this a lot. I think it's a great question. And it boggles my mind, to be honest, because I see this trend, that I see more and more CISOs, in every Gartner and other survey that I see, moving away from prevention and into detection and response. So what we're doing is we're not going to bother locking the doors anymore.

But we're going to spend a fortune on alarm systems, and that just doesn't make sense to me. But everyone sees it the way you posed the question of it's too expensive to do prevention. I'm, like, what do you mean? Because it's far cheaper.

It doesn't really cost me anything to get my asset management sorted. It doesn't cost me anything to have coffee to find out what's going on in my business and find out about the amount of security people who don't know their core business functions and who don't speak to parts of the business and who don't influence and don't involved in projects and strategic initiatives is staggering. And then they're having to deal with all the incidents that result because of security was never integrated in this. And one argument I hear a lot is, you know, legacy systems.

Oh, they're legacy systems. We can't do anything about them, so we have to build all the security around them. OK, great. That's a valid point.

But have you done anything to make sure that when the legacy system in five years time finally gets replaced, that that can be maintained, can be patched, does have maintenance windows, is secure? Have you created a process to make sure that happens when that time comes? Have you created architectural standards to make sure that happens? No, you haven't.

And you're going to spend the next five years moaning about it. And five years from now, you're going to have the legacy system finally be replaced. And it's going to be just as bad as the 20-year-old one because you never got involved upstream, to make sure what was coming down the pike.

So if you do that, if you go proactively, basically you ensure that everything that comes new into the environment is relatively secure or can be secured very cost effectively, as opposed to having to create all this detection and response and work-arounds. So I think we currently spend something like 95% of security spending and effort in the SOC, or 95% is probably exaggerating because you EDR and other things. But it's very much between the SOC and detecting stuff that happens. But we spend almost nothing in getting in front of the problem, making sure the issues don't happen in the first place.

So how can prevention possibly be more expensive than all this other stuff? And that's kind of-- my analogy is always it's like a car factory. And the car goes through the assembly line, then gets pushed into the parking lot, but from the third floor, so the car's all smashed up. And we're spending all our time figuring out, well, what's wrong with it.

What parts need to be changed? What tools do I need? What's the procedure? What's the order? And we're stepping over each other.

How do we organise a workflow? Quick, quick, let's get more-- we need to hire 1,000 more people to move these cars out of the way. Set up workshops. We're stepping all over each other.

Let's build some kind of a quality management framework and a process flow. And let's hire some consultants to tell us how to do it, some auditors to make sure we're doing it right, some vendors to sell us better tools. No one's thinking, can we just make the cars come out the ground floor.

And that parking lot analogy is my analogy for the security industry. If you look at the security skills gap, ISC2 had this great slide, where they're showing like the top 20 roles and what the roles are and where there's this big gap and how big the gap was and how big the gaps going to become. Every single one of them was a reactive parking lot role. There was nothing about business engagement or process improvement or, you know, getting the influencing, nothing, nothing.

Right.

Everything we're doing is responsive, how can that possibly be cheaper than just making sure things don't happen in the first place?