A few years ago, the cybersecurity industry adopted a new mindset that went something like this:
- Cybersecurity controls are not very effective.
- Therefore, sophisticated cyber adversaries can easily circumvent them, compromise networks, and execute data breaches.
- Hence, trying to prevent attacks is essentially a fool’s errand, so organizations should concentrate on incident detection and response.
This line of reasoning was supported by an overly simplistic axiom that spread like wildfire in the industry: “There are two types of organizations. Those that have been breached and those that have been breached and don’t know it.”