Company XYZ has invested an increasing amount in security due to the changing threat
landscape. The company is going through a cost cutting exercise and the Chief Financial Officer
(CFO) has queried the security budget allocated to the Chief Information Security Officer (CISO).
At the same time, the CISO is actively promoting business cases for additional funding to support
new initiatives. These initiatives will mitigate several security incidents that have occurred due to
ineffective controls.
A security advisor is engaged to assess the current controls framework and to provide
recommendations on whether preventative, detective, or corrective controls should be
implemented. How should the security advisor respond when explaining which controls to
implement?
A.
Preventative controls are useful before an event occurs, detective controls are useful during an
event, and corrective controls are useful after an event has occurred. A combination of controls
can be used.
B.
Corrective controls are more costly to implement, but are only needed for real attacks or high
value assets; therefore, controls should only be put in place after a real attack has occurred.
C.
Detective controls are less costly to implement than preventative controls; therefore, they
should be encouraged wherever possible. Corrective controls are used during an event or security
incident. Preventative controls are hard to achieve in practice due to current market offerings.
D.
Always advise the use of preventative controls as this will prevent security incidents from
occurring in the first place. Detective and corrective controls are redundant compensating controls
and are not required if preventative controls are implemented.