The Vulnerable StateThe first state is known as vulnerable. In this state are many smaller enterprises that have made the assumption that dealing with cybercrime is expensive or out of their control. These enterprises usually do nothing and pay the price when it comes to recovery from incidents. Fortunately, most enterprises have moved beyond this state.
The Reactive StateThe second state is reactive. In this state are those enterprises that have a goal of achieving security, which is the majority of enterprises. What typically happens is a focus on prevention using traditional technologies, such as firewall, intrusion prevention and anti-malware, as well as spontaneity as these technologies increasingly struggle with emerging threats. This makes for a lack of consistency and unnecessarily lengthy incident recovery times.
The Compliant StateThe third state is compliant. In this state are those enterprises that have a goal of achieving one or more regulatory compliance objectives and typically do so because they are mandated. If it wasn’t for regulatory bodies auditing and imposing penalties for failure to comply, these enterprises would most likely slip back to the state of reactive. Whilst compliance seems like a great goal to achieve, it is based on a limited set of static criteria with a limited scope at a specific point in time. Target was PCI-DSS compliant, but it was still no match for theft of credit card details from POS terminals by cyber criminals in 2014.
The Proactive StateThe fourth state is proactive. In this state are those enterprises that have an emphasis on awareness of risk. Very few operate in this state. These enterprises are more strategic in their planning, and the scope of their efforts is enterprise-wide. They do not just focus on the target scope mandated by compliance, and they generally follow well defined processes to ensure consistency in responding to similar incidents.
The Resilient StateThe fifth state is resilient. In this state are those enterprises that go beyond risk awareness to risk understanding. Across the entire globe, the number of enterprises in this state is in the double digits. These enterprises excel in communicating risk throughout the enterprise; they have the entire enterprise engaged, from the directors who are accountable for fighting cybercrime to everyone else. Adaptability is a key outcome for resilient enterprises. They might get knocked down from time to time, but they always get right back up again. Risk is seen as an opportunity rather than a danger in resilient enterprises. One common question that I am asked is what is the difference between security and compliance. Security is a binary state. An enterprise is secure or it is not. Nobody would call a bank vault that is broken into or a prison broken out of “secure.” Resilience, on the other hand, goes beyond the mindset of prevention to include identification and remediation of vulnerabilities; prediction and prevention of threats; detection of and response to attacks; and confirmation and recovery of breaches. Having read about these states now, you will likely identify with one of the states above. In which state does your organization find itself? Let us know in the comments.