* Introspection: First, examine why we are not winning the war against hackers, cybercriminals, etc. Why are we not winning? Because we stubbornly adhere to Einstein's definition of insanity: doing the same thing over and over again and expecting a different outcome. In this case, that same thing is responding to breaches by investing disproportionate sums of money in perimeter defenses in a futile attempt to prevent breaches.
The industry needs to stop living in the past. It needs to try something new. It needs a heavy dose of introspection so it can adopt a new mindset: the "secure breach." Let's dig deeper into the remaining steps to changing the status quo:
* Acceptance. Stop pretending you can prevent a perimeter breach. Accept that it will happen and build your security strategy accordingly. We need to admit that we, as an industry, have a problem. Start by asking yourself if your security philosophy has changed much in the last 10 years. It almost certainly has not. You're likely to be spending 90% of your security budget the same way you did back in 2002, which undoubtedly focuses on perimeter and network defenses.
It is difficult to name an IT industry that has stayed the same as long as ours has. It's as if we've had blinders on, telling ourselves to stick to breach prevention. But that mindset isn't advancing organizations. Take a look at other sectors within the IT industry and you'll see huge change in the last five to 10 years because we didn't have a choice. The way people demand, use and share data is nothing like 2002 and today the problem and the solution just don't match up. It's no longer just about the network or our PCs. It's about the actual data.
Now, that isn't to suggest that organizations should stop investing in key breach prevention tools or do away with layered security. What we need to do is place our bets on strategies that protect our most valuable assets. Just like the military, IT should always presume to be functioning in a compromised state.
* Understanding: The third step is knowing who your enemies are and what they're after. Today's threat is not from kids looking to prove they are smart enough to deface a website. Modern adversaries are sophisticated, international organizations whose business is to defeat your defenses. They might be organized crime syndicates, nation-states or hactivists.