IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

The Security Paradox

Why breach prevention and response strategies are both essential.

Are breaches inevitable? That simple question is dividing the technology world today.

Depending on who you talk to within the cybersecurity industry, the answer is either a simple yes or a battle cry to fight international surrender in cyberspace. But be warned: Asking this “inevitable” question is a loaded with hidden traps. Your answer will likely affect your enterprisewide cyberdefense priorities and overall security funding strategy.

Breaches Everywhere

First we have a sea of scary breach headlines along with consistent problems keeping sensitive data out of enemy hands. Late last year FBI Director James Comey proclaimed that Chinese hackers have invaded every major U.S. company. Comey also said the Chinese aren’t very good at covering their tracks. “Their strategy seems to be: We’ll just be everywhere all the time. And there’s no way they can stop us.”

There are also well known lines from leading technology CEOs like former Cisco head John Chambers, who said, “There are two types of companies: Those who have been hacked, and those who don’t yet know they have been hacked.”

One “security manifesto” lays out philosophical and technological arguments for why breaches are inevitable, including the way the Internet is built, problems with business partner connectivity, trouble with employee Web-surfing habits and even new technology deployments with vulnerabilities. 

But it doesn’t stop there. In fact, the “not if, but when” champions make the case that your IT security dollars should be spent on incident response and network redesign, and not on breach prevention.

Rick Holland, a security and risk management analyst at Forrester Research, told the BBC that companies must redesign networks to respond faster to the inevitable breach. “This involves separating one part of the network from another in such a way that if hackers get onto the network, they only get access to the data in that segment and no more.”

Not So Fast

But not everyone thinks breaches are inevitable. Invincea CEO Anup Ghosh told Washington news site DC Inno that breach prevention is possible, proclaiming “breach inevitability” is just marketing.

Ghosh mocked competitors: “You cannot stop the breach. So don’t even try. … To me that’s a self-serving message. What you’re really saying is, ‘Don’t invest in prevention because you’ll never stop the threat.’”

And those arguing for more investments in new technologies to stop breaches point to the National Institute of Standards and Technology (NIST) Cybersecurity Framework to make their case. The framework includes five core functions: identify, protect, detect, respond and recover. 

As a Harvard Law article points out, agencies must demonstrate due care: “Organizations can potentially avoid the inevitable conclusion (or parallel accusation by a plaintiff’s attorney) that they were ‘negligent’ or ‘inattentive’ to cybersecurity best practices following disclosure of a cyberbreach.”

Is There a Middle Ground?

Back in early 2013, I was one of the first cyberpros to ask: “Are data breaches inevitable?” The context was slightly different at that time, as I was clearly placing myself in the “yes” camp. My goal was to encourage improved cyberincident response capabilities.

But the debate has evolved. Proponents of the “inevitable breaches” idea are now moving to almost throw in the towel against hackers. With Ghosh, I think this is a mistake.

Why? Consider banks, which despite knowing that robberies will happen, have numerous processes and procedures in place to stop criminals. From cameras to guards to timed vaults, banks have adapted to new threats to inhibit bank robberies, as well as respond to incidents when they do happen.

No doubt the bad guys are ahead of the good guys regarding cybercrime today. But there is still hope. Some breaches, like bank robberies, may be inevitable. Nevertheless, your local branch getting robbed is not a foregone conclusion. 

Bottom line: Build your security priorities around all five NIST Cybersecurity Framework functions. “All of the above” is a third option to prepare for inevitable cyberattacks. 

Special Projects
Sponsored Articles
  • How the State of Washington teamed with Deloitte to move to a Red Hat footprint within 100 days.
  • The State of Michigan’s Department of Technology, Management, and Budget (DTMB) reduced its application delivery times to get digital services to citizens faster.

  • Sponsored
    Like many governments worldwide, the City and County of Denver, Colorado, had to act quickly to respond to the COVID-19 pandemic. To support more than 15,000 employees working from home, the government sought to adapt its new collaboration tool, Microsoft Teams. By automating provisioning and scaling tasks with Red Hat Ansible Automation Platform, an agentless, human-readable automation tool, Denver supported 514% growth in Teams use and quickly launched a virtual emergency operations center (EOC) for government leaders to respond to the pandemic.
  • Sponsored
    Microsoft Teams quickly became the business application of choice as state and local governments raced to equip remote teams and maintain business continuity during the COVID-19 lockdown. But in the rush to deploy Teams, many organizations overlook, ignore or fail to anticipate some of the administrative hurdles to successful adoption. As more organizations have matured their use of Teams, a set of lessons learned has emerged to help agencies ensure a successful Teams rollout – or correct course on existing implementations.