Being in IT operations (networking, systems…) can sometimes drive me more cynical in my attitude towards security. This week has been one of those weeks. I sometimes get the feeling that IT (business) problem solutions can be insecure, but it would take an exorbitant amount of effort and time/money to fix some obvious problems. Ever have one of those problems that even 5 people meeting for 3 hours can’t even find a solution for? And sometimes things just get let go for the moment.
Kinda makes me wonder how many security folks are not necessarily doing direct security, but rather entirely doing workarounds and mitigations for poor solutions. Poor solutions are the result of cutting corners (time, money, quality) or incompetence (a harsh way of saying the people implementing it just didn’t know how to do it properly).
More arguments towards detection…
LV-
1.) The benefits of “prevent” aren’t readily noticeable. So there is a bias there to consider.
2.) Prevention is incapable of accounting for (true) “black swans”, but it (usually) allows for economies of scale better (making it generally cheaper) than detect & Respond
3.) Detection & Response can be just as effective as “prevent” but as you say – it just (usually) costs more.