To understand how organizations create effective safeguards against risk, we need to examine what drivers affect their ability to prevent, detect, and mitigate risk. (See Figure 68.) The drivers must include these elements:

•  Executive leadership: The top leadership must prioritize security. This is critical for the mitigation of attacks, as well as their prevention. The executive team should also have clear and established metrics for assessing the effectiveness of a security program.
• Policy: Policy has strong ties to mitigation. Controlling access rights to networks, systems, applications, functions, and data will affect the ability to mitigate damage from security breaches. In addition, policies to ensure a regular review of security practices will help prevent attacks.
• Protocols: The right protocols can help prevent and detect breaches, but they also have a strong relationship to mitigation. In particular, regular reviews of connection activity on networks, to ensure that security measures are working, are key to both prevention and mitigation. It’s also beneficial to review and improve security practices regularly, formally, and strategically over time.
• Tools: The judicious and appropriate application of tools has the strongest relationship with mitigation. With tools in place, users can review and provide feedback that is vital to detection and prevention as well as mitigation.

High