Your company has invested an increasing amount in security due to the changing threat landscape. The company is trying to reduce costs, and the CFO has queried the security budget. At the same time, you as the security practitioner are actively requesting additional funding to support new initiatives. These initiatives will mitigate several security incidents that have occurred due to ineffective

controls. You assess the current controls framework and provide recommendations on whether preventative, detective, or corrective controls should be implemented. How should you explain which controls to implement?

A. While corrective controls are more costly to implement, they are only needed for real attacks on high value assets. Put controls in place after a real attack has occurred.
B. Detective controls are less costly to implement than preventative controls and should be encouraged wherever possible; corrective controls are used during an event or security incident; and preventative controls are hard to achieve in practice with current market offerings.
C. Use preventative controls as this will prevent security incidents from occurring in the first place. Detective and corrective controls are redundant compensating controls and are not required if preventative controls are implemented.
D. Use preventative controls before an event occurs; use detective controls during an event; and use corrective controls after an event has occurred. Use a combination of controls.

---

D
Explanation: You should explain that the company should use preventative controls before an event occurs, use detective controls during an event, and use corrective controls after an event has occurred. Therefore , you should use a combination of controls.