The Emotional Barriers to Embracing the Presumption of Breach Doctrine

Every day, another breach.  For every breach story we read, what would you guess is the number of known breaches that do net get reported? 1? 5? 100?  Then there is the big unknown.  The “you don’t know what you don’t know”.  How many breaches are there that will go undiscovered for yet another day?  I have used the following numbers from the  Verizon Business 2011 Data Breach Investigations Report (published May 2011) times: 60% of breaches go undiscovered for a month or more and 84% are discovered by someone outside of the organization.

I witness a very interesting response to the inescapable reality of today’s IT security environment every day from a somewhat unique position.  How Triumfant works and what it does requires organizations to make the fundamental recognition that attacks are getting past their shields and therefore they are getting breached.  In the overwhelming face of the available evidence this would seem to be an easy and completely defensible position for any organization to take.  Yet I consistently see a resistance that seems to be rooted in emotion rather than reason.

As Commodus put it in Gladiator: “It vexes me. I’m terribly vexed.”  So much so I have thought long and hard about the emotional side of this problem and have come to what I think are interesting and valid conclusions.

First is the inability to let go of the notion of full protection against attack and embrace the “Presumption of Breach” doctrine.  It is far more comforting to have 100% faith that your shields will protect your systems without fail and without regard to the attack or attacker. Everyone wants to be protected, and is far more comfortable thinking about prevention versus detection.  When you have spent 20+ years building walls and feeling protected (albeit a false comfort) behind those walls, a conversation about breaches rocks that world profoundly.  Another paradox is that the more organizations are in denial, the less likely they are to have detection capability, which means they won’t know they have been breached, which only feeds their denial.

The IT security market feeds on the myth of the 100% shield and continually sells the next layer to organizations with the promise that this time, THIS TIME, we have the answer.

If an organization faces the uncomfortable reality that they have been breached, then there is an emotional backlash: “How could this be?  My IT security team assured me we were protected!  My vendor partner also assured me we were protected! Who is to blame?”  The problem also cuts across personal boundaries to the heart of the reputation and job security of key people in the organization, because assuming that the organization has been breached creates the misconception that someone has to be at fault.

Let’s address these backlash issues directly.

This is not the fault of the CSO/CISO or the IT Security team, nor have these people failed the organization.  They are up against a motivated, organized, and relentless adversary who benefits from the advantage that offense always has on defense.  A motivated, well-funded and patient adversary that wants to target a specific network for a specific organization is really hard to stop.  The roster of recently breached organizations is a who’s who of the most sophisticated and disciplined security practitioners on the planet.  If they were breached, why would your organization be different or exempt?  Doing the prudent thing and putting a solution in place to detect breaches and provide a rapid response is not an admission of failure by IT security.

This is not the fault of the shield software in place.  At least not completely. There is no 100% shield and in spite of vendor claims there is no silver bullet.  If you bought a shield product believing to be 100% effective, then the fault is yours.  Embracing the cold hard fact that every shield can be evaded is the first step toward progress.  This logic also applies to the notion that getting breached does not imply that the person who bought the shields failed.

This is not the fault of IT management.  Pushing through a new tool that detects successful breaches may raise all manner of questions to the executive level and the board who likely received assurances that the necessary shields were in place.  Breaches now bring reputational risk that could negatively affect consumer trust and even business valuation.  Getting breached is a business risk as well as a security risk, and executive management and the board must be educated accordingly.

This is not going to happen to our organization.  Hope is not a strategy.  Neither is denial.  There are two types of organizations: those who know they have been breached and those who don’t yet know.  The Advanced Persistent Threat is not just a problem for the DoD or the NSA.  The recent Duqu attack is yet another wake-up call that organizations can no longer gnore.

Uncomfortable realities are, well, uncomfortable.  But they are reality nonetheless.  Organizations need to embrace the reality of the moment, get past the emotional objections and associated finger pointed, and face the challenges that this new reality brings.  You will get breached.  Attacks will evade or get past you shields.  You must have a tool in place to perform rapid detection and response to those breaches.