Perimeter defenses to keep all attackers out are no longer feasible, many experts say.
Perimeter defenses to keep all attackers out are no longer feasible, many experts say.

It may be a tired mantra for those dealing with the prospect of data breaches – “It's not if, it's when” – but it's no less true today. Breaches come fast and furiously, often without warning. But, sometimes, it's because organizations are tempting fate by failing to protect themselves before a breach hits…and then the aftermath.

“Every industry is impacted by breaches, without exception,” says Ed Moyle (left), director of emerging business and technology at ISACA, a nonprofit, independent information security trade group. Security flaws, he says, are inevitable as a part of the push for ever-increased networking. 

It takes a few generations of a technology to really ‘iron out the kinks' from a security point of view, he says. “Eventually, these issues became less problematic – at the end of the process is a fairly robust, resilient and mature technology. But the road there is a long one for any given technology.”

Rick Betterley, president of Betterley Risk Consultants, a Sterling, Mass.-based insurance risk management consulting firm, and author of industry newsletter The Betterley Report, says that his moment of recognition occurred when he heard that Lockheed-Martin had been successfully breached. 

“That was my moment of epiphany,” says Betterley. “Now I know there's nobody out there who can't be breached. I used to sort of accept clients telling me that they were pretty well secured. I didn't have the ability to evaluate that. But after I saw Lockheed-Martin get breached, I couldn't believe that anymore.”

But, if every breach is a colossal headache for the organizations that suffer them, they are also experiences fraught with lessons, most notably: Protect yourself upfront and have a way – including tools, processes and resources – to endure the aftermath.

Risk analysis has been a part of the cybersecurity universe for some time. However, previous risk-analysis approaches endeavoured to protect absolutely everything – rather than identifying and protecting what mattered most to organizations, says Eddie Schwartz (left), international vice president of ISACA and president and chief operating officer of WhiteOps, a New York-based fraud prevention firm.

Today, he says, we're seeing the rise of targeted risk analysis where one essentially interviews people at the levels of the business and ask: What matters most to you? What would cause the most pain to the business if we lost it, or if there was a problem with data integrity, or it was unavailable to you for some period? “That change in focus is different from the idea of building a wall,” he says.