Late last year, Fox Sports ran an article about the Detroit Red Wings hockey team that suggested the squad was suffering from “defensive regression,” meaning its defense was getting worse rather than better over the course of the season.

What do the Red Wings’ problems have to do with cybersecurity? A lot, actually. Like the hockey team, organizations are continually struggling to adjust and improve their defensive strategies to stay ahead of the opposition. And like the team—which was suffering defensive breakdowns due to injuries and poor execution—organizations must find ways to mitigate unpredictable challenges related to both talent and techniques.

Devices & IoT: How Your Gadget Could Be Your Security Downfall

Spotting Regression

It should perhaps go without saying that there is no resting in cybersecurity. Even if your organization is completely, unquestionably secure today, that is no guarantee about tomorrow.

What could possibly go wrong in a day? Certainly any number of technical challenges could arise, from unexpected downtime to a never-before-seen exploit. Talent can also change quickly—an expert leaves, for instance, or a poorly trained newcomer arrives. In addition, great policies and processes, like great plays in any sport, may not be executed correctly or at all, leaving even a seemingly well-prepared organization vulnerable.

The key to spotting defensive regression is for employees at both the executive and operational level to be aware of its never-ending potential. Resting on one’s laurels, or feeling satisfied that cybersecurity defenses are sufficient, is not an option. Like a team on a winning streak, an organization that has gone weeks or months or years without suffering a major data breach or other security breakdown must be ever-vigilant—not only to identify regressions as they occur but also to predict them before they adversely affect the organization.

Anticipate the Inevitable

Once organizations recognize defensive regression as an ongoing concern, they can begin to take steps to mitigate it. As Brian Contos wrote recently on CSO, mitigation often involves answering critical questions that look beyond current performance. For instance, he suggests asking whether trends can be created to compare past with current cybersecurity performance, effectively identifying any defensive regression.

Other steps can also be taken to plan for and prevent defensive regression. For instance, talent will almost certainly move on at some point, and often without a great deal of notice. Organizations, in addition to working hard to retain good employees, should avoid situations in which only one expert holds a vast amount of knowledge. Imagine what would happen if any given staff member leaves, and establish strategies to mitigate the damage such a move would cause.

Failsafe measures can also be put in place to limit regression, especially regression due to human errors. Automated processes can help, along with extensive employee training, clear policies, and effective quality controls. It may also be wise to invest more time and resources in testing and measuring various aspects of cybersecurity performance to identify vulnerabilities and errors.

The Bottom Line

The most important point about defensive regression in cybersecurity is that it exists and is, in fact, inevitable. Threats change, technology fails, people make mistakes, policies get overlooked—change happens, in other words. Organizations need to accept that they too need to keep changing. Only by acknowledging, anticipating, and continually mitigating defensive regression can organizations chalk up more “wins,” one day at a time.

Devices & IoT: How Your Gadget Could Be Your Security Downfall