In an attempt to wake up companies that may not be taking security as seriously as they should, they are often told, "It's not a matter of if, but when."
Historically, I've not been the biggest fan of this term, in that it has a certain undertone of doom and gloom. A bit like one of those life insurance commercials that morbidly remind you that you will die some day and you want your loved ones to be looked after financially.
The reality is though, that as depressing as it may sound, we will all die at some point. And it is likely that a company that uses technology and is connected to the internet in some way, shape or form, will likely experience and incident of some magnitude over the course of its life.
Being attacked or compromised by an external or internal party isn't a black swan event that falls outside of the norm. It's very much a part of everyday life.
Where many companies go wrong is believing they can eliminate these attacks completely. But this isn't practical because randomness and variability are the rule, not the exception.
It's like when you have a flight to catch, most people will tend to leave earlier than needed to factor in unforeseen traffic, or other delays. Because we know and understand that a journey consisting of planes, trains, and automobiles will inevitably encounter some delays. So we plan for it.
Similarly, enterprises should plan for the unexpected, build it into its fabric to ensure it can not only remain resilient, but flourish in times of adversity.
So, what can make a company more resilient to security incidents and black swan events?
What better way to see how an attacker will fare against your systems than to subject your systems yourself to the same stresses. It's not so much a case of proving that all your systems are unbreakable, but rather it gives you a level of assurance as to how long your defenses can hold up, whether you have effective means of detecting and responding, and perhaps more importantly, what the impact on the business or customers will be.
Often, when speaking of redundancies we think of business continuity planning which inevitably many boil down to the art of "buying two of everything."
Often a company may avoid the cost associated with having redundant systems because it may never be used. Although, the truth is that not needing a redundant system is the exception, not the rule.
It's also important to have alternative redundancies in place. For example, if a system goes down, is there a manual workaround that could be deployed? Could online transactions be diverted to call centers? If cash is unavailable, can cryptocurrencies be used? Or precious metals? Or cigarettes even.
Not all risks are created equal
Critical assets are the life blood of an organization. They are the crown jewels that help the company be profitable through sales, services, or innovation. But it can become easy to miss some of the risks amongst the large sea of issues.
Which is why it can make sense for companies to at least adopt a dual risk strategy whereby it can play it safe in some areas and take more risks in other.
Have multiple points of resilience
It's not just attacks that are on the rise. There are a number of factors such as errors, changes, or infrastructure migrations that can all lead to security incidents. Therefore it's important to build resilience at multiple points across the business.
Maybe it's time to stop fearing, or thinking of the phrase, "it's not if, but when" in a negative light - but rather as a positive opportunity - one that can allow security teams to proactively innovate to get the best outcome for themselves, and their company.