COMMENTARY
Back-to-basics: Focus should be on cyber prevention, not just reaction
Agencies have long relied on reactive security (compensating security controls) vs. preventive security (baseline security controls) to protect their information systems.
As an industry, we have largely ignored implementing baseline controls. They’ve proven very difficult to implement and manage at scale and even more difficult to retrofit into an environment in which poor baseline practices around access credentials and code execution restrictions have persisted over time. Instead, the industry has favored the myriad of compensating controls which promise to atone for the sins of these poor baseline practices and protect us from the inevitable. As a result, many agencies end up with tool sprawl – adopting too many one-off specialized solutions that complicate risk decision making, fail to scale, and fall apart in a borderless environment. This approach impacts productivity, complicates management workflows, and dramatically inflates costs as a byproduct.
…
