Those are words we never want to hear, no matter what the situation. Something undesirable has happened, we were expected to have prevented it, but it happened. By the time the question is being asked, there isn’t much to do except damage control.
When it comes to information security, sadly, this question is asked all too frequently. Attackers continue to refine their skills while, at the same time, more and more aspects of business are being digitized and moved online. If you don’t have a robust and constantly improving security posture, sooner or later you’re going to hear those words directed at you.
In the previous blog post, Make vs. Buy, we discussed the economic tradeoffs of investing in internal expertise versus leveraging external expertise. Maintaining effective information security is like running on a treadmill that doesn’t have a stop button…if you aren’t constantly moving forward it’s going to get ugly real fast. Staying up to date on the latest security trends, vulnerabilities, and solutions is a full-time job, and when you factor in PCs, phones, servers, networking gear, and other technologies, more than just one person can handle.