You will get breached. Get over it

It's no longer really a question of 'if' but 'when. Maybe not all companies will get breached, but many will, especially those that are specifically targeted by attackers. That's not about waving the white flag (more on that in a bit). And neither is it always an indictment of a company's security posture. Some organizations are careless. But many others are just unlucky. It's hard for instance, to imagine that organizations such as Sony, RSA, Oak Ridge National Laboratory, and Google got breached because they weren't paying attention to security.

The simple fact is that there's just far too many ways that a company can get compromised these days and it's unrealistic to assume that they can defend against every single attack, every single time. Unless an enterprise simply disconnects from the Internet, sooner or later, the bad guys always will get lucky. If someone really wants to, they will find a way in.

Enterprises (at least many of them) are spending more on security these days than before, but they are also more at risk. Any company with an Internet presence presents a large attack surface for those who want to target them. Operating systems, Internet browsers, application software and database tools continue to be as buggy as ever. The security products that companies use to protect themselves aren't always secure.

Then there's the whole consumerization of IT thing going on. And of course, there's always the errant end user who's going to click on a phishing email, or share music over a file-sharing network using their corporate PC, or post a corporate document on their Facebook page. And let's not forget the increasingly well-funded, increasing well-organized and increasingly well-armed cyber crooks that are constantly devising clever new ways of breaking in and stealing stuff.

None of this is about being defeatist or throwing in the towel and letting the bad guys walk all over. Rather its more about acknowledging that breaches can and will happen. It's more about damage containment and being ready for what happens when an intruder does break in. An intrusion means little, if the intruder has no place to go, nothing to steal and nowhere to hide.

Enterprises obviously need to continue doing everything they are doing and more. Perimeter and network protection technologies such as firewalls and anti-malware tools and IDS and IPS are still going to be vital for protecting against a vast majority of the threats out there.

But analysts say there also needs to be much more of a focus on continuous monitoring of internal networks and systems so as to be able to detect break-ins and anomalous behavior sooner.

It means doing things like encryption, and segmenting networks and data where possible to make it harder for intruders to move about inside an enterprise network. It means having the tools to track an intruder's movements and having sensors for detecting Web beacons and data exfiltration attempts. It means having a good forensics capability for detecting what went wrong and remediating it quickly.

The federal government is already doing a lot of this stuff or is moving in that direction anyway. Federal agencies these days for instance, are required to implement a continuous monitoring capability as part of their FISMA compliance requirements.

Many agencies are also in their process of reducing the number of touch points they have with the Internet so as to be able to protect the remaining ones better. Data encryption is required in many cases for any sensitive data that is stored on mobile devices. Despite all this, federal agencies do get breached. But at least they are no longer focused only on attack prevention.

Preparing for a breach is not an admission of failure or of weakness. It's just common sense. Going forward, the true measure of a company's security readiness will not be just how well they defend against attacks but also how well they respond to the one that slips past their best defenses.

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon