Not a day goes by without a high profile attack, a new cyber espionage story or a government spying on its neighbor. If you think how hostile the Internet has become, one can ask if this is sustainable in the long run. Business, government, schools, society for that matter are addicted to the constant information stream and the ease of use that the Internet is.
If you conduct business over the Internet you know how ridiculously expensive it can become to get some form of digital protection. And even if you buy the latest anti-flu, the newest state of the art firewall or subscribe to a latest brew of managed security services that deliver you a Security Incident and Event Management, around the clock monitoring and management. You know that these are all tools designed based on knowledge of yesterday but they are facing the reality of tomorrow. We might argue that we're now able to detect it more efficiently but still it does not seem to help a lot in the defense part especially it does not seem to deter the miscreants in doing harm.
If I read ,with some skepticism, the news and information in regards to information security, I cannot think otherwise than that information/cyber security has never been in a worse shape than today. Of course we should not give up, we can loose a battle and still win the war at the end but how many casualties does it take before one realize that the applied strategy is far from successful. What if we are defending the wrong gates? Unfortunately we keep on repeating ourselves and strangely enough we expect to get a different result. We're doing exactly that what the great Einstein defined as insanity.
Imagine, we detect an incident and with some luck our monitoring picked it up and alerts all the staff required to analyze the evil, close down the covert channel created by some misfits and starting hunting them. According to some it can take up over 200 days before systems and or staff detect it, pardon? To what extent would that be protection? it is not even effective, let alone efficient since it does not do anything except some substantial amount of days later at best.
Perhaps we should diminish a risk based approach and consider many of the risks as certainties; how complicated that might sound... Maybe we should consider more to align with business requirements, easier said though...