I think your perspective is either immature or unrealistic.
OP's a realistic. His perspective is nothing to do with how a company values security.
No one in security assumes they won't get hacked, we assume we will and when we do get compromised. Our metrics aren't measured on if, our success metrics are:
* How quickly we find out
* How much damage we can mitigate
* How quickly we mitigate the risks and controls for X vulnerability and
* How we incorporate our reporting to find trends to find the event quicker next time
Now we report on many compromises. I'm not talking just about data breaches here, there's a whole spectrum of compromises that we manage and mitigate.
I don't know anyone who operates in Security who has a different mindset to OP.
> OP's a realistic. His perspective is nothing to do with how a company values security.
Of course it does. The stick is not big enough so CSOs just do not care enough. Increase a size of the stick and it would split the group of CSOs into two:
1. Like OP will run away saying "I'm not going to put myself in a line of fire if crap gets hacked". We need broomsticks for those.
2. The ones that will say "OK, two years", do their best and probably succeed.
Having practices in case for the event of a hack is obviously good, but it doesn't imply believing that you can't control getting hacked and can't win against the hackers (previous poster's exact words).
It's because you can't control it. There are limitless attackers and vectors. Security is mostly a game of being hardened enough to where most of those attackers will give up and go off looking for easier targets. Against a zero-day that nobody knows about yet, or an extremely determined attacker with a lot of patience? You will eventually lose, and you have to do your best to detect when it happens and act accordingly, as stated previously.
Our company cares more about security than anyone in our space, if you look at how much we invest relative to the others. We have full time penetration testers on staff. We contract out to countless third party security vendors. We take their advice.
This has nothing to do with not valuing security, it's just about being realistic. Can you guarantee that your company is hacker-proof? No? Then we're on the same page.
I'm not sure why we have to accept a dichotomy between guaranteeing hacker-proofness and throwing up your hands and saying you're bound to get hacked no matter what you do.
It's great that you take all those steps and investment. The fact that you still don't believe you can control whether or not you get hacked is a sad reflection of modern software practices, which are akin to throwing together a house out of plywood, newspaper, and gasoline, then asking the security team to place fire extinguishers.
I believe it's more like getting into a car accident. You can be the best driver in the world, you can always drive under the speed limit and take all precautions but you are bound to be in an accident at one point or another.
You may go decades without incident but it's almost a certainty that you will find yourself in a situation where another driver collides with you in a way that couldn't have been forseen. This driver could have hit you accidentally or on purpose, it doesn't matter. You could be teaching another how to drive during the incident, you could have had a momentary lapse in judgment...it doesn't matter. What matters is how you handle the situation after the fact and the steps you took to mitigate the damage.
If you spend enough time on the road the likelihood of an incident approaches 100%.
More a sad commentary of how many people think there's some magic bullet of security practices and if they just follow those, then they won't be hacked.
If you don't assume that you will be hacked, then you won't design in auditing, alerting and containment that will tell you when you've been hacked, let you determine what data was compromised, and prevent the attacker from having free reign over all of your systems.
Otherwise, you'll be like a former coworker that refused to secure internal systems because "We paid a lot of money for our firewall, it's going to block any hackers". It took me less than 30 minutes on my first day to hack the login passwords of senior executives because they logged into a non-SSL reporting server (and I did through a simple MAC overflow attack on a network switch from a network port in the break room)
> If you don't assume that you will be hacked, then you won't design in auditing, alerting and containment that will tell you when you've been hacked, let you determine what data was compromised, and prevent the attacker from having free reign over all of your systems.
I see a big difference between preparing for the event of a hack, and believing that a hack is inevitable no matter what practices are in place.
How do you get your CEO to pay for the monitoring and other breach preparation if you've just told him that "We have air-tight security, we cannot get hacked"?
CSO: We have airtight security, we cannot get hacked.
CEO: Great!
CSO: Please approve and fund this plan to handle a breach in case we are hacked.
CEO: But you just told me we can't get hacked.
CSO: Right, it's impossible.
CEO: So why do we need to spend money preparing for it?
CSO: Just in case.
CEO: Just in case what? You just told me it can't happen.
That seems a little like asking for money to prepare for an alien invasion or a zombie attack.
Probably the CEO would have read the document their Insurance Carrier made him sign that details the measures they need to keep cyber cover valid and therefore this conversation wouldn't happen.
I think that's a very sad commentary on how little your company values security.