The good prevent. The best prepare.
We'll often hear the advice:
"Most of the things you fear will never actually happen."
And there is certainly some truth to this.
But, relatively infrequently...
What we're afraid of does happen!
We do lose our job.
We do get a tough medical diagnosis.
Our business does lose our biggest customer.
And, in our world of IT, the hackers do successfully breach the network.
In these cases where bad things do actually happen...
The difference between "preventing" and "preparing" often becomes abundantly clear.
Here's what I mean:
Everyone prevents. It's just our natural inclination as humans.
When we're afraid of something...
We do as much as we can to stop it from happening.
On the cybersecurity front, this looks like:
Pen testing
Security scans
Purchasing new equipment
Running user cybersecurity trainings
(And a million other things)
Fewer leaders, though, go further than preventing...
And actually prepare (in detail) for the bad thing happening.
Back to cybersecurity, this might mean:
Setting up an intense DR program that essentially expects systems to go down
Spending on a premium cyberinsurance policy, to minimize the financial consequences of a hack
Airgapping our key systems so that hackers have a very hard time moving around in our network, even if they can get in
Now, can this level of preparation be done for EVERY risk our businesses face?
Definitely not.
But for the few big ones? The ones that can "put us out of business" in 24 hours?
We have to think this way.
This world is just too uncertain.
And prevention, while fruitful, is very far from predictable.
Assume the worst. Prepare for it.
And hopefully, you'll never know just how prepared you actually were.