Massive, highly publicized data breaches alongside business disruptions brought about by the pandemic have sharpened companies’ focus on endpoint detection and response (EDR), incident response plans and business continuity. While each of these areas are important, enterprises should not lose sight of a component that can be even more impactful – incident prevention.
This is an important conversation since 2023 is a year of global economic uncertainty. Security leaders will likely have to pay especially close attention to their budgets, weighing priorities and finding the right overall balance for their security programs. In a climate where budget dollars may need to stretch as far as possible, what could be a better decision than to invest in preventing security incidents from wreaking havoc in the first place, with all the associated costs of after-the-fact analysis and recovery efforts?
As the realities of the daunting threat landscape have become evident in boardrooms, there has been an overcorrection of placing a primary emphasis on detection and response in the aftermath of successful cyber intrusions. This is opposed to strategizing to prevent attacks from occurring.
Detection and incident response are critical, but let’s not lose sight that although not all cyber-attacks will be thwarted, many of them can be. From a risk management perspective, it is sensible to address risks that can be easily and relatively inexpensively mitigated – you’re never going to eliminate all risks, but you might as well eliminate the ones you can and save the considerable resources that are needed to deal with a successful attack. Investing in preventative techniques can be much more impactful than the incremental benefits that might be achieved from continuing to pour resources into what are often already solid detection and incident response protocols.
So, what are examples of effective methodologies that are focused on prevention? Remote browser isolation (RBI) quickly comes to mind. RBI adds a layer of defense against browser-based malicious code such as ransomware by redirecting user web traffic so that it flows through a browser isolation platform. Since browser isolation is intended to ensure that no code is transmitted to the user’s endpoint without relying on detection, implementing full browser isolation is the correct path. Partial browser isolation does not fulfill the underlying rationale for implementing browser isolation.
Another notable prevention-based technique is app trust listing. This ensures only trusted applications run, utilizing zero-trust concepts. A word of caution: ensure that the prevention technology you’re using is not a detection technology in disguise. I’ve seen many security products trumpet prevention, but when scrutinized more closely, they are really detection or response-based. This holds true for several browser isolation and endpoint protection tools on the market.
There are other timely approaches that can help security leaders be more efficient with their budgets. As privacy regulations continue to become the norm around the world, it’s likely that 75% of the globe will be covered by some sort of regulation by year’s end. That means security leaders will need to work more closely with their privacy counterparts to comply with evolving regulations and achieve the overarching goal – delivering digital trust to all stakeholders. Privacy functions are even more challenged for funding than security. In ISACA’s Privacy in Practice 2023 report, more than half of respondents say their privacy budget is underfunded. By implementing security measures such as encryption, microsharding and data anonymization, security and privacy objectives can be reached efficiently and cost-effectively.
One temptation security leaders should avoid is to slash the budget in areas such as training, certifications and providing high-impact security tools. Even when the economy is in a downturn, security professionals will remain in demand, and if they are not provided with the resources and professional development opportunities needed to be successful, they are likely to leave and go to a competitor. Headcount is important, but giving a slightly smaller security team the resources and tools to succeed leads to better results than prioritizing headcount at all costs.
The year ahead will require savvy leadership – the industry seems to become more challenging every year – and the economic uncertainty only adds another layer of complexity. But even in times of tightening budgets, by coupling investments in detection with technology that prevents attacks from working in the first place, looking for synergies between security and privacy and prioritizing the needed investments in retaining and supporting your security team’s operations and professional development, 2023 can be a great year for security leaders and their teams.