Information security dogmas - long live the echo chamber

A short time ago I saw another one of those commonly held InfoSec wisdoms that states that as your organisation’s information security matures so your budget changes from mostly spending on prevention technologies to detection and response technologies. In other words, “we’re not mature so we are spending 90% on prevention and the remaining 10% on detection and response”. The immaturity is in the approach, not the capability.

Majority of the budget on prevention

  1. You spend a lot of time and money on controls to keep the bad actors out.
  2. You are frequently unaware of the events where your prevention controls failed.
  3. When a third party informs you that you suffered a breach you respond defensively (and aggressively) because you do not have internal evidence that would corroborate what third party is telling you.

Majority of the budget on detection and response 

  1. You spend a lot of time and money on capability to know what is going on and to respond quickly and appropriately.
  2. You are alerted that your prevention controls failed and are ready to quickly respond to them.
  3. You don’t need third party to inform you you’ve suffered a breach - but in case it happens you can quickly get control over the most important part of the crisis management: managing the message.

Putting large majority of your resources into prevention starves you of information needed to know where you are in relation to the threats and the competitors. It also starves you of the practice needed to respond to a crisis when it happens. Without actively practising response you will make mistakes - and the magnitude of those mistakes may well be such that you cannot recover from it.

Mature organisations spend a lot of effort on constructing feedback loops and ensuring that feedback is not only generated, but also used. Immature organisations follow dogma and infrequently question if what they’re doing is the right thing to do.