This quotation is very appropriate when we consider protecting information against cyber threats. Putting this quote into context, means that as the maturity of an organizations Information Security Management System (ISMS) increases; the organization becomes less susceptible to successful cyber threats and, in many cases, prevents those threats from causing damage to the organization.
To eliminate any confusion in this blog, let’s define what we mean by “maturity” in this context. Maturity is not about the age of the ISMS program. Although many successful mature ISMSs have been developed and used over multiple years, it’s about the degree or extent of integration between the information security policy, standards and processes together with inter-dependence of associated technologies used to affect the security controls. Additionally, the maturity of the ISMS is also about how well integrated and supportive the program is with the overall goals and objectives of the organization and its business units and operational entities.
Mature ISMS implementations are not standalone programs that only consider Information Security and IT. They are inextricably linked to many other parts of the organization and the business focused policy, goals and objectives that they must follow to support the overall organization’s goals and objectives. It is this cohesive and integrated approach that bolsters an organization’s defenses against cyber threats. Where the ISMS--with its process, training and technologies used--is strongly internally coherent and integrated with the organization as a whole; the entire organization and its infrastructure become a huge cyber threat sensor. This supplements the usual technical sensors that less integrated and less mature ISMS programs typically use. Using the entire organization as a cyber-threat sensor means that the organization benefits from the combined optical, audio, and brain driven sensory detection mechanism that all members of the organization have.
Intentionally or not, humans often pick up snippets of information and quickly combine them together in ways that security technologies find very difficult or time consuming. This ‘human capability’, combined with a strong integrated ISMS program that consumes such information snippets and combines them with technical indicators in an information security intelligence process, often gives such an organization an early warning of an impending threat, or one that is in the early stages of being launched against the organization. Such an early warning means additional defenses can be proactively implemented to stop or mitigate the threat before it causes any, or too much damage.
The combination and support of a human sensory network, with the traditional information security technologies, policy, standards and processes, and the integration with the rest of the organization is indicative of a sophisticated and very mature ISMS program that truly follows Benjamin Franklin’s sage advice that "An ounce of prevention is better than a pound of cure."