Security from a corporate perspective is a very complex situation, and Manship said it also includes the realities of business. "There are different types of businesses, business verticals, assets that need different protections as it retains to the value of those assets."
They need to first have the commensurate level of security in relation to the value of the assets that's in line with the business risk appetite. "They should have options for protecting themselves against risks and adopt the procedures and controls to be in alignment with that understanding," Manship said.
The ability to be resilient after an attack begins with any organization knowing their vulnerabilities so that they can protect against those. "It starts with knowing what their attack surface consists of--the risks--to make prioritized risk-based decisions," Manship said.
Other key pieces to having a resilient organization include robust monitoring that gives them the capacity to identify threats as early as possible within the cyber kill chain so that they can react accordingly.
"It's difficult to accurately and appropriately tune these solutions so that they aren't getting too much noise. Noise makes us desensitized. If the solutions aren't well tuned, they just produce noise," Manship said.
Whichever approach they decide upon, they need to practice, just like anything else, said Manship. They should have processors and procedures that they test so that in the event that a disaster takes place, they have determined the people that they need to notify.
One piece of advice that Manship offered, "Mare sure they have the right people helping them who understand all of their risk holistically and are enabling them with the information they need to make those decisions."
Sign up for CIO Asia eNewsletters.