We need to retire the phrase “attackers only have to be right once; defenders have to be right 100% of the time”. Here’s 3* reasons why:
- It reinforces a self-destructive culture: This idea implies that 100% prevention is the only acceptable metric, which is one of the main factors driving burn-out in our industry. We know this from the data, not just intuitively; Bridewell’s 2022 “Cyber in CNI” study showed that 41% of CISOs wanted to leave their role because they believed a compromise would tarnish their career. Gartner data tells the same story.
- It’s an impossible standard: Breaches are a question of when, not if. The goal is not to prevent every breach but to prevent attackers from accomplishing their objectives. This is the outcome that security, and corporate boards, need to be focusing on. Otherwise you not only set up security leaders to fail (by holding them to an unrealistic standard), but the entire business as well (orgs that haven’t adopted an “assume breach” mindset typically haven’t invested enough in detective and recovery controls).
- It misrepresents success: The 99 successes matter more than the 1 that slipped through. We don’t champion our successes enough in security, even though it is (almost) a statistical certainty that the 99 wins prevented a much larger material impact than the 1 we didn’t catch. One reason business leaders struggle to understand the value of security investment is because we simply don’t tell them…we don’t frame the material impact of the wins, only the losses. This is self-defeating.
- *Bonus: We should never be one mouse click away from an extinction event anyway. If we are, then the security programme’s controls are deficient. It’s OK to sometimes lose a battle if you win the war (see 2 above for what “winning” should really mean). This is the whole point of Assume Breach, Attack Graph, & Defense-in-Depth thinking.