Leadership, Breach

Security leaders should replace the assumption of a breach with a different approach

The message "Be Prepared" is written on a Post-It note on a table, in between a coffee cup and computer keyboard
The power of the subtle shift from “assume breach” to “anticipate breach” changes the framing entirely, says leadership columnist Michael Santarcangelo. (iStock via Getty Images)

For security leaders to earn our seat at the table, we need to deliver value by solving the right problems and communicating what counts. What we say is important, and how we say it matters more than we realize. We need to build confidence in our leadership and our capability to protect what is important to the business.

Then we shoot ourselves in the foot with the misguided notion of “assume breach,” and we need to replace it with a better approach.

Cyber confusion and misplaced focus on breach

Cyber is confusing. As I explained in the need to help people understand security.

When we say “cyber,” people hear “spider” and want to kill it, preferably with fire. Just because people realize that, like spiders, cybersecurity is helpful doesn’t mean they understand security or want to be around it. Most people still look to avoid security.

Now faced with the responsibility and expectation to address “security,” more executives and boards resort to what they know, prompting them to ask security leaders if they protect the company from breaches.

I’ll wager that’s not your favorite question to answer.

Hopefully, we’re moving past the notion that all breaches are fatal and our only focus is to prevent breaches. But breaches still make headlines, and we need to handle it smartly.

Perhaps borne of good intentions, I hear too many people utter “assume breach” to express, firmly, that you will get breached. Or that you already are!

It feels like this answer came from the exasperation of trying to respond to “nothing has happened to us yet”

Assume breach then is simple: warn people that breaches are everywhere. It’s not if it will happen to you, it’s when. Maybe it already has happened.

It’s a terrible choice.

Why assuming breach weakens your position

The core problem with assuming breach is how negative it is. You’re telling people that no matter what they spend, what they do, and what you do — the big terrible breach is going to happen, anyway.

What happens when you tell someone already confused by the term cyber and not sure what to make of the security team that they should just assume someone already breached them and the game is over?

After all, if we’re breached anyway, then why are we spending so much money on security?

It’s a defeatist way to approach security that sets entirely the wrong framing. Our fear of failure somehow leads to invoking failure as a bizarre preventative measure.

Professionals anticipate

Experts predict, and professionals anticipate. Check out the definition of anticipate, which includes:

  1. to give advance thought, discussion, or treatment to
  2. to foresee and deal with in advance
  3. to act before (another) often so as to check or counter

The power of the subtle shift from “assume breach” to “anticipate breach” changes the framing entirely. Instead of starting from a defeated position, you move from a place of confidence.

Instead of suggesting doom without hope, shift focus to what matters to the business. Even better, this is the opportunity we covet to bring security closer to the business, building trust, and taking actions that protect what they care about.

Do you know what matters most — and what the potential impact of a breach is?

What happens if a breach happens?

“What happens if a breach happens?” is the opening question I’ve used for nearly a decade in keynotes, podcasts, workshops, and private engagements with executives and boards.

I intentionally ask "if" instead of "when."

I also keep the construct vague in the beginning. That’s because when I first ask, the common response from leaders is, “I don’t know.”

I’ve learned to accept them at face value. Then ask some questions.

Sometimes they explain why they aren’t worried about a breach. Lately, they confess they just aren’t sure, and it opens the door to a great conversation about what matters and how a breach might affect them.

We need to engage in these high-level conversations to figure out what’s important and make sure we have the right understanding. Assuming people just know is as dangerous as assuming breach. Working together allows everyone a better understanding.

Lead with confidence to deliver value

Instead of assuming breach and feeling defeated, we can anticipate and take confident action.

With the clarity on what matters, we gain flexibility in approach. The more we know what to look for, the more we can engage with others. This is how we gain recognition as a leader who “happens to be good at security.”

Michael Santarcangelo

Michael Santacangelo is the founder of SecurityCatalyst.com, author of Into the Breach, and creator of the leadership-driven Straight Talk Framework – with our favorite question, “What problem are you trying to solve?”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.