When. Not If.
To Effectively Protect Against Threats, Cyber Professionals Should Design Their Defenses Around An "Assumption of Compromise"
by Ashok Sankar
In the age of advanced cyber threats, should enterprises operate under an “assumption of compromise,” accepting that breaches are inevitable, determined adversaries will find a way in, and penetrations are a matter of “when, not if?”
At the recent Gartner Risk and Security summit, the debate simmering around that question was laid to rest, ushering in a new reality in enterprise security. During his opening keynote, Peter Firstbrook told the audience in no uncertain terms that compromise is inevitable and security managers should prepare to face this fact. As with any such assertions, there are two schools of thought. One accepts this as the new reality and takes action. The other rejects it as a defeatist attitude.
Nowhere was this made clearer to me than at a recent dinner event with a few CISOs. The topic of discussion was incident response - essentially a mitigation process activated after an enterprise is compromised.
In the course of conversation, I was asked to explain Raytheon’s objective in the commercial cyber security space (a common question given our defense-focused heritage.) As I explained that our market approach is based on the assumption of compromise – and on lessons learned while operating in some of the most hostile environments in the world – it was clear to me that the CISO who asked the question was conflicted.
He readily acknowledged the shortcomings of today’s technologies and his team’s limitations. He was not as ready, however, to agree that compromise is inevitable despite his significant investments in security technologies. “Isn’t that defeatist?” he asked.
Operating an enterprise under the assumption that your systems will never be compromised is akin to believing that because you take vitamins every day, eat right and exercise regularly, you’re not going to buy health insurance until after you’re already ill.
Acknowledging the inevitability of compromise is not admitting defeat any more than having health insurance means you’ve resigned yourself to an unhealthy life. A response and recovery plan is like insurance against the worst-case scenarios an enterprise may face. Instead of writing off the concept as “defeatist,” many security officers are proactively educating their C-level executives and Boards on the concept while preparing themselves and their systems to contain and control threats.
Ashok Sankar is the Senior Director of Cyber Product Strategy and Management for Raytheon.