"They have faith in the promises from vendors, but putting it into practice and going through the process from start to finish once a quarter gives peace of mind," McGeorge said.
From a pen tester perspective, McGeorge said, "When I think of resiliency in companies, the ones that have impressed me the most have invested in virtualization."
With virtualized desktops, all PCs are created equal. "Nobody worked from the host operating," said McGeorge.
"They were virtualized desktops in the company cloud, so If I am able to detect Sam and Sally from sales have been compromised, I can nuke them, kick them off the VM, and create a new version and put them back on it so that everything is back."
The incident-response team can then look at what they can pull off of the compromised image and give back to the users. The down time is that of maybe an hour, which is ideal for any organization. The problem, though, is that it's very expensive to implement.
"They have to make a huge investment in virtualization. Another problem is that if Sam and Sally are compromised, and we are saving all of their stuff onto the servers, the attacker has access to all the things they did before I detected they were compromised," said McGeorge.
There is no perfect solution, but the goal is to make recovery as painless as possible.
"This is where monitoring gets into play," said McGeorge. "They can tell when one user is making multiple modifications, changing a lot of documents all of the sudden."
Versioning also lets the incident-response team identify when a user has been compromised, and they can minimize the impact of many people having access to one document.
"If Sam gets infected with ransomware, the document management will let me go back to the version before it was compromised," McGeorge said, "but this is very expensive and logistically complex."
The CSO or CISO has the authority to discriminate across the organization and determine which documents are critical and should be added to the document management. "Only those documents that are mission critical should go into the document library," McGeorge said.
Whether they use virtualization, monitoring, or versioning, "They need to practice their backup and recovery strategy for different parts of the enterprise, from the sales team to the desktops and mail server, all the stuff that can not fail," McGeorge said.
Ryan Manship, Red Team Security's security practice director, said that the ability to respond to and recover from an incident or an attack is great, "But we also need to think about identification, about detection and intrusion prevention. This is a big thing. It's a big deal and it matters."
Sign up for CIO Asia eNewsletters.