Reality check... at least 30% of the customers I have worked with this year use a "disaster-driven" security program.

Yes, it means exactly what you think.  Nothing gets done, nothing gets approved until there is definitive proof that the $company has been hacked, stolen from, or otherwise compromised.

While we as security professionals often joke that this is the best way to make our point and get budgetary consideration - this is actually a very poor way to run things!  Why you ask?  Let's analyze this situation.  There are many dangers to being reactionary and jumping on the emergency du-jour... not the least of which is money waste, catastrophic loss, and resource confusion and absolute loss of direction.  I think it's best if we address each of those points individually to make everything nice and clear.

It would almost seem logical to only spend money when things go wrong- that way you know where your weakness is and you can patch the things that are broken.  After all, you don't buy new tires because you think  you'll be getting a flat, right?  You buy a new tire when the old one blows out, or wears too thin.  Same with the hot-water heater, your roof and pretty much anything else in real-life... There are serious logic flaws in that thought process.  First off, we all know it costs many, many more pennies to "clean up" after a disaster than it would have taken to avoid the disaster in the first place... hrmm... or do we?  You see, falling into this mental trap is easy... putting together the right logic to avoid it is quite difficult. 

Let’s first talk through how you would measure these options, in order to provide empirical evidence.  The important thing is to measure events which would be relevant to your business and model.  So if you’re an industrial company, with very little web presence trying to substantiate the need for site security… good luck.  Measuring involves accumulating the costs, all of them, of a disaster-driven approach.  Inclusive costs would be things such as data-breach notification, legal fees, productivity loss, projected consumer confidence loss and other things that are very soft measurements … again making the empirical approach difficult here.  Whether you do your own research or trust industry models – you will likely come to the conclusion that fighting fires with band-aids is more costly than being proactive… guaranteed.

The next important point against disaster-driven security is that catastrophic loss.  Since I often liken InfoSecurity to life insurance let’s take that approach.  We all know you can’t buy life insurance after the patient has crossed that line… I think we can all agree on that.  The same is for security… sure you can beef up your defenses after a major disaster in security – but the damage is done!  Whether you’re now dealing with untrusting customers or partners… you’ve got a tough hill to climb to win over those people again.  This of course is completely ignoring how brutal the media can be… and then there’s the “Social media” that is merciless as well… Giving a press interview saying “Yes, we did everything we could pro-actively and still got breached” is much different than “Well, we were defenseless, but at least we’ll be ready for the same attack next time!”… obviously.  Catastrophic loss leads to internal turmoil, profit shrinkage, people losing their jobs… and all sorts of nasty things… trust me, I know first-hand.

If you’re ever been a part of a data-breach or worked for a company that’s been hacked you know how difficult it is to work in that environment.  Having leadership which either “follow the trends” or are “disaster-driven” means you’ll never actually successfully complete a project start to finish.  This is true because odds are you start to plan, maybe even get into implementation before something strikes and you’re forced to drop everything and go do something else.  Without continuity in your work life it gets confusing and you start to lose your place, projects are forgotten, and there is a lot, and I mean a lot of wasted everything.

Lastly, we address “loss of direction”… which at this point should be a self-evident outcome.  When you’re chasing fireflies it’s very simple to run off the pier, since you’re looking not at where you’re going long-term but at all the pretty shiny lights all around you lighting up and dying off.  Imagine, just imagine, if you had to chase one emergency after another.  Imagine what that would do for your ability to resource plan, budget, and get a clear sense of direction for your department or company.  It’s the perfect analogy for what’s going on in companies that have disaster-driven security practices.

Like it or not, many of you work in a company that believes security should be driven by incidents not strategy.  Whether you want to or not, you’re enslaved by “running around putting out fires” and have very little sense of direction.  Maybe it’s time you do something about that?

You’re #1 weapon against disaster-driven security is foresight, and metrics.  You’ve got to anticipate, and measure carefully to prove that there is more risk in waiting for a disaster to occur, than being pro-active.  After all, that is what everyone in this industry should be doing.

Good luck!