I was talking security last night to some very experienced digital people. We shared horror stories of various security breaches and attacks. (We all lived to tell the tale). There were a couple of take-home points which are worth sharing.
First, as much as we’d like to think otherwise, there are too many different kinds of attack for even a medium-sized company to cover completely. For example, employing a company to test a specific vulnerability will leave another dozen related vulnerabilities unchecked. Or to take another example: making a small tech change will open up holes previously happily unexposed. This doesn’t mean security testing is pointless, but it does mean that it doesn’t cover as much ground as we might like, and exposure is likely more that we’d prefer.
The second point relates to the first, and addresses the issue of risk more generally. It is this: given a security breach is a matter of “when” not “if”, what makes the difference is the capability to minimise the impact. It’s the ability to respond to a crisis in general, even if you can’t predict the specifics. This covers many things including having a good number of team members who can work together to respond to the crisis (having the skills, spreading those skills, etc), having a strong team dynamic to ensure people really are willing and able to step up to the mark should the circumstances require it, and (often forgotten) effective communication internally and externally.
As usual with uncertain and unpredictable situations, given it’s impossible to predict specifics the real key to success is having an operating model that is geared towards handling that general unpredictability smoothly.