Use the Inevitability of Security Breaches to Your Advantage
In an attempt to wake up companies that may not be taking security as seriously as they should, they are often told, “It’s not a matter of if, but when.”
Historically, I’ve not been the biggest fan of this saying, in that it has a certain undertone of doom and gloom. It’s a bit like one of those life insurance commercials that morbidly remind you that you will die someday and you want your loved ones to be looked after financially.
However, the reality is that, depressing as it may sound, we will all die at some point. And it is likely that a company that uses technology and is connected to the internet in some way, shape or form will experience an incident of some magnitude over the course of its life.
Being attacked or compromised by an external or internal party isn’t a black swan event that falls outside of the norm. It’s very much a part of everyday life.
Where many companies go wrong is believing they can eliminate these attacks completely. But this isn’t practical because randomness and variability are the rule, not the exception.
It’s like when you have a flight to catch: Most people will tend to leave earlier than needed to factor in unforeseen traffic or other delays. We do this because we know and understand that a journey consisting of planes, trains and automobiles will inevitably encounter some delays. So we plan for it.
Similarly, enterprises should plan for the unexpected and build it into their fabric to ensure that not only can the business remain resilient in times of adversity, but that it can also flourish.
So, what can make a company more resilient to security incidents and black swan events?
What better way to see how an attacker will fare against your systems than to subject your systems yourself to the same stresses. It’s not so much a case of proving that all your systems are unbreakable. Rater, this kind of testing gives you a level of assurance as to how long your defenses can hold up, whether you have effective means of detecting and responding, and, perhaps most importantly, what the impact on the business or customers will be.