We Have Security Prevention Bias

One can say that there are three stages of information security operations: Prevention, Detection, and Response. Of the three, it is usually prevention that gets the most attention. It recalls the old saying, “an ounce of prevention is worth a pound of cure.”

Copy of Prevention Bias (2).jpg

Prevention is stopping something from happening. Bias is partiality for a perspective based on beliefs or feelings rather than facts. Security prevention bias is favoring the expenditure of time, effort, and money on preventative measures at the expense of Detection and Response.  Even though most will freely admit that we cannot prevent a breach – if a threat actor or group wants to break in and is persistent enough for a long enough period of time, they will likely succeed – companies in the U.S. show an inherent bias toward spending on prevention. Firewalls, IPS, Anti-Virus, DLP, NAC, DRM, Endpoint Agents -- in spite of a pervasive awareness that at some point the effectiveness of preventative spend declines, we have an inclination toward investing in yet more and more prevention. At first, the risk is reduced a great deal, but once that much infrastructure is in place, not so much.

security prevention bias

An appropriate balance between Prevention, Detection, and Response is in order. Some examples of detection – consisting of monitoring and alerting --include log aggregation and the use of a SIEM; ensuring 24/7 coverage through automation, staffing, or the use of an MSSP; and tuning your policies over time so that only actionable events result in an alert. Examples of response activities include having a dedicated Incident Response Team or available MSS Red Team; having a documented playbook or collection of procedures to follow should a breach be identified; tracking metrics to gain insight into trends in your environment; and vulnerability and penetration testing, which can be conducted internally or using a third party to guarantee unbiased results.

Statistics from the Ponemon Institute’s 2016 report on breach costs shows that not only do we have a prevention bias, it also costs us money. The Mean Time To Identify (MTTI) breaches among U.S. companies in 2016 was 191 days. The Mean Time To Contain (MTTC) was an additional 58 days. This lag increases the total mean cost to $17M, a 36% increase over breaches discovered in less than 100 days, or contained in less than 30 days.


Dollar figures listed in millions

There are other breach cost metrics available in the Ponemon report, such as breakouts by industry vertical in which a per-record lost, or per-capita cost, is assigned.  In 2016 the mean was $221M per capita, with the Healthcare vertical far above that at $402M, Education close to the mean at $220M, and Hospitality far below that at $148M. Knowing the mean per-capita cost of $221M and with probability metrics that indicate U.S. companies have a 24% chance of suffering a breach loss of at least 10,000 records in the next two years, some other interesting figures come to light: there’s a 1 in 4 chance your company will have to cover at least $2.2M in breach costs in the next 24 months.

It is vitally important, then, that security programs are prepared should a breach occur.  Most security practitioners would agree that it is not a matter of if but when that may arise, with the hope that it has not already happened. Increasing capabilities in detection by using Managed Security Services to monitor and alert is a smart and effective way to resolve prevention bias: MSS starts up very quickly with little or no capital expense, establishes capable procedures immediately, is staffed with qualified personnel, and is likely to cost much less than it would if a company chose to build its own SOC.

In calculating the costs of building your own SOC, consider that in many or most markets, it will cost $120,000 annually per staff member for payroll and total benefits, with at least five staff members to monitor and alert 24/7/365. SOC planning, hardware costs, and deployment costs could easily exceed $200,000, which leads to an estimated minimum $800,000 cost for a small-medium sized company to build and staff their own SOC with capabilities of monitoring firewalls, IPS, and AV.  Adding more monitoring capabilities would increase the cost.  By comparison, using MSS is a much better ROI.

 Build versus Buy Security Operations Center

Did you enjoy this blog article? Share it with your friends or comment below.


Founded in 2000, CIPHER is a global cybersecurity company that delivers highly accredited Managed Security Services holding ISO 20000 and ISO 27001, SOC I and SOC II, PCI QSA and PCI ASV certifications. We have received many awards including Best MSSP from Frost & Sullivan for the past five years. These services are supported by the best in class security intelligence lab: CIPHER Intelligence. Our offices are located in North America, Europe, and Latin America with 24×7×365 Security Operations Centers and R&D laboratories, complemented by strategic partners around the globe. 

Our clients consist of Fortune 500 companies, world-renowned enterprises, and government agencies with countless success stories. CIPHER provides organizations with proprietary technologies and specialized services to defend against advanced threats while managing risk and ensuring compliance through innovative solutions.

Recent Security Posts


Twitter Feed