Why are organizations continuing to have cyber breaches?
How much is enough? How much money, resources, frameworks, consultants will it take for an organization to truly grasp the fact that there isn't enough to eliminate a cyber incident.
Realization is that it will happen. How the organization responds and it preparedness for that moment will truly validate what it should apply for it's Total Cost of Risk model.
From what I've observed:
a) There's no leadership buy-in on data protection. Leadership is too focused on profit drivers and sees data protection as a necessary evil. Or something they must "respond/react" to instead of proactively building into their culture.
b) The most "at risk" functions--Marketing/sales other customer-facing areas don't prioritize it. Their argument is--if we're not in the business of data protection, why bother with all the effort?
c) Data protection measures (certifications, data security tools) are seen as good-to-haves and not must-haves.
The current environment heavily favors aggressors, ie those perpetrating attacks. They can innovate unimpeded, they have a large ROI for new technology.
Defenders don't even understand the attacks that are coming out now. It would require a large research effort to understand them and a huge investment to effectively mitigate *just the ones we know about*.
Because new attacks are constantly being invented, this so far is a losing game, Kobayashi Maru (Star Trek II reference, look it up). All we can do is deal with loss in the best way possible.
That means minimizing response times, automating port closures or account lock-outs, bringing more computational power to bear on analytics, scripting and smarts as part of the defender's toolkit. Always assume there is an attack ongoing, that you will be compromised. Be prepared to quarantine, wipe and rebuild machines with as low a cost as possible.
The new hardware hacks (implants, see also SuperMicro) make this more expensive to mitigate, but again it is about fast response, confident and decisive actions to prevent the same attack succeeding again. Defenders have to force innovation on the attackers, make them pay for the research first, pay to keep running old attacks that don't work.
Living in the mountains of the US, there is a saying, "There are two types of people, those who have hit a deer and those who will." Same thing for breaches. And once you hit that deer, your driving habits change. Same for cyber strategy. In regulated environments, the companies expect their quick response to reduce the fines and focus. Sometimes it works. Regardless, they finally make the investment in cyber.
The question we should be asking is how to do we push companies to invest in cyber before a breach/incident? That is the magic.
It is a continuous race between organizations and attackers. One day the one side has an advantage and then the other. The week link is often not the IT-protection itself, but the human employee, as awareness is lacking. Often the sophisticated IT-protection could be bypassed by a low-tech-attack.
Companies will stop having breeches when their hackers are smarter than those on the outside of the company. Attacks will continue but breeches should be manageable. Better sentinel monitoring powered by pattern sniffing AI will aid in the reduction of breeches but will not eliminate them altogether.
Data protection strategies against cyber attacks should be mandated simultaneously with the initiation of any business that is at risk of attacks. These companies should be severely punished when their lack of caring for the interests of their clients become less important that their profits.