An interesting report recently came out from a government analyst firm, Input, on U.S. government spending. According to the report, spending on cybersecurity will grow at a compound rate of 8.1 percent a year between 2009 and 2014, outpacing general IT spending.

While we can debate whether that is the right number, clearly, government needs to be focusing more on protecting our most critical assets and addressing the current security holes that are in the networks. However, I was a bit confused to see that Input predicts that most of this spending will be on preventative measures. The notion of building a higher wall here comes to mind.

I read the following in an IDG article and I wanted to pound my head on the desk:

“You need to be paying attention to where those consolidation and centralization centers are,” he said. (Kevin Plexico, Input’s senior vice president of research and analysis.) In addition, much of the federal government’s cybersecurity focus will be real-time monitoring and control of computer networks, Plexico predicted. He sees less emphasis in the future on audits to identify breaches after they happen. “Agencies are really investing in technology that helps them identify threats as soon as they happen, and even anticipate where those threats are going to come from,” he said.

This is yet another example of people not paying attention to logic. It is simply impossible to prevent every bad thing from penetrating your network. To advertise otherwise, presupposes that we can “out-guess”, “out-anticipate”, or otherwise predict how cyber-criminals plan their attacks.  It seems illogical that industry pundits continue to miss this point. The fact has always been that preventative measures are necessary, but hackers will continue to evolve in sophistication faster than vendors can create new products. It explains why so many agencies have already been compromised and why we continue to hear about them despite the billions (yes, with a “b”) having already been spent. The definition of insanity…?

While most organizations implement security strategies that target prevention of a cyber attack, those same organizations fail to understand the three pillars of an effective security strategy – prevention, detection and incident response – and the importance of each.

1. Prevention. We know prevention is not a 100 percent guarantee. Recent security breaches at T-Mobile, Heartland Payment Systems, TJX Companies, Lexis Nexis, Twitter, Visa and MasterCard provide proof that prevention is not an absolute. We can also use common sense to reason that there are endless potential attack vectors into a network; portraying ourselves as capable of anticipating all of these, with perfect accuracy, is to say that we can become omniscient in our deployments. Does anyone really believe this?
   Most organizations implement many products and services to prevent a security incident. Network intrusion applications, application firewalls, unified threat management, data and information leak prevention, antivirus software, content monitoring and filtering, etc., are all terms well known by your IT security staff. But, what happens when a hacker is successful at breaking through your “secure” system? Read the paper this week (or any week) and I’ll bet you can find an example.
2. Detection. When a breach occurs (because we all know it is going to happen), what happens next? The ability to address security incidents as they happen is critical strategy organizations fail to implement, even though the cost of failure is so great.
   A recent report found that the average cost to remediate a compromised health care record is $211. Here’s a costly example, the University of North Carolina recently disclosed a breach of 160,000 records. Based on $211 per record, the cost to remediate would be nearly $34 million. Interestingly, the cost to remediate the TJX breach was estimated between $250 and $300 million, based on $3 per compromised record.
3. Network forensics/incident response. The third pillar is quite simple: When something bad happens (and we know it will and we know that we can’t always anticipate what it will be), we plan our reaction to it. With a comprehensive incident response plan and the right technology, you simply rewind the tape. Like a bank that has just been robbed (because despite the guards, alarms, and locks, they still deploy cameras), network forensics provides organizations a rewind feature to quickly identify the full scope of any security event, determine what happened to specific files, data, etc., and then take immediate steps to resolve the situation. Reduced exposure, evolving security measures, and ultimately having a way to review an attack and make sure it can’t happen again is just good practice. It’s the same reason law enforcement agencies have forensic teams to conduct criminal investigations and New York City has arguably one of the most comprehensive incident response teams for terrorist attacks. Why do we think network security is any different from security in the physical world?

We recently conducted a survey of our own of 200 security and IT professionals in large organizations which found an overwhelming number of companies have recently experienced or expect to experience a significant network security breach within the next 36 months.

Most of these respondents expected to be attacked at some point and many said it took between 2 to 10 days or more to determine the scope of the attack (if they could determine it at all). This is telling and directly contradicts the report from Input. Instead of focusing exclusively on building higher walls and better locks, I would argue that our industry can take a page out of the real (physical) world and start to think differently about how we battle today’s most pressing national security threat.