Expert Reactions: Eric Cole, Associate
Organization’s today need to recognize that they are going to get compromised. A comprehensive approach must take into account that prevention is ideal but detection is a must. In order to provide proper protection, an organization must have a list of all critical information and business processes that utilize that information, with all of this mapped to systems within the environment. It is important to always remember knowledge is power. An organization cannot protect what they do not know. If the offense knows more than the defense, an organization will lose. Once accurate information is gathered, everything in security must map back to risk. Before an organization spends a dollar of their budget or an hour of their time they should always answer three questions: 1) What is the risk?; 2) Is it the highest priority risk; 3) Is it the most cost-effective way to reduce the risk? While many organizations focus on risk remediation, today many risks cannot be properly remediated and need to be transferred to a third party. Therefore, cyber insurance is becoming more and more important to help an organization properly manage risk. In cases where an organization cannot remediate and/or accept the risk, utilizing insurance is an effective solution. While the industry is still not fully mature, this is a big growth area that will be required to keep pace with the advanced threat.
