Lately, I’ve been paying particular attention to the concept of having a cybersecurity portfolio. It’s a view that looks at the need for enterprise-grade cybersecurity from a viewpoint akin to a savvy investment strategy: you want diversified investments, spread across a variety of assets to maximize your return. In the case of your finances, that might mean a healthy mix of higher risk investments along with consistently performing mutual funds. For cybersecurity, it means not putting all your proverbial eggs in the basket of prevention or detection, but having a balanced security spend that allows you to prevent, detect, respond, and remediate threats. The foundation of this idea is that there is no perfect perimeter security. Threats will get in and so you must have mechanisms to limit their reach and counteract them.
As I’ve pointed out throughout this series, central to the idea of the cybersecurity portfolio is the need for companies to know themselves. There’s no one-size fits all portfolio that will be right for every business. Each business has different assets, in different places and infrastructures, and therefore, the way it protects those resources must be unique.