|Click here for more articles from Dark Reading.|
Leek, who is the CISO at financial services and asset management firm Blackstone, says the more you know about your attackers and their M.O., the better chance you have in thwarting any real damage. That entails three main mindset and strategic shifts that security pros need to make, he says, to handle threats and attacks today: better visibility into threats and attacks, better intelligence about them, and a planned response rather than merely reacting to the latest threat, vulnerability, or incident.
"The reality is that bad guys have much more time on their hands than we do," says Leek, who gave a presentation from the CISO's perspective here at Interop yesterday. "If you're focused on prevention and not much on detection, you are flying blind sometimes because you don't necessarily know where you're headed."
Blackstone is adopting what John Pironti, president of IP Architects, says is a prime example of a risk-based model for security -- one where security pros serve as advisers to the business on the real risks facing their firms, rather than as the naysayers they sometimes appear to the business side.
"Security is the output" of what the business' risk profile defines, Pironti says.
Meanwhile, Leek estimates that most organizations spend about 70 percent of their capital, resources, and processes on prevention, but that model is no longer viable in today's threat landscape. "Our programs, generally speaking, largely reflect the vendor landscape" of mainly prevention-based tools, he says. "Why is this? Because it's sexier to sell prevention," he says.
Security teams need to change up their strategy, he says.