As we look back on 2009, we shouldn’t be surprised about the many “surprise” security incidents that came to light. It didn’t really matter how prepared an organization was or how compliant they were to industry standards—hackers still found a way to access the organization’s network and data and commit a crime.

In 2010, we will undoubtedly face new threats. The question is, will security professionals (look in the mirror) change their myopic focus on prevention and apply some serious attention to preparing for the unexpected threat? We need to address all three pillars of an effective security strategy: prevention, detection and incident response.

To security professionals who have prescribed to a “prevention is good enough” belief, preparedness might seem like an impossible task. But, how can we anticipate each and every threat that is out there? To help with a New Year’s resolution to be better prepared in 2010, I’d like to highlight a few steps to move toward a more holistic approach to security:

1. Be prepared. It’s not all about prevention. As security professionals, we can’t focus completely on prevention, because we can only stop what we know. The “unknown unknowns” will continue to roam in the wild and until they are identified and classified, any amount of prevention is insufficient. These threats will be targeting vulnerabilities we are not aware of. Just look at the vast number of recent security incidents, including T-Mobile, Heartland Payment Systems, TJX Companies, MasterCard, American Express and many others. Eventually, vulnerabilities will be found and exploited and a breach will occur. We need to take steps to prepare for the “unknown unknowns” by planning for swift, intelligent response. Incident Response needs to evolve into Instant Response. Furthermore, we can’t put all our trust in vendors who convince us that they can stop every security incident. Simply put, it cannot be done. If you put all of your security dollars toward prevention, will you be successful? No. Come to grips with the fact that vulnerabilities exist and be prepared for the incident when it occurs.
2. Don’t rely on compliance alone. Compliance is a start, but regulations are really there just to provide a framework—and force adherence to—good security practices. These are practices that serious security professionals are already following. For those of us that believe that we will not be hacked because we are complaint with industry standards, think again. It can and does happen. The Heartland breach is a great example and it has taught us that compliance alone is not enough to stop a major security breach. While Heartland was compliant with the requirements of the Payment Card Industry Data Security Standard (PCI DSS), the company still experienced the biggest breach ever involving payment card data. There are simply no guarantees when motivated attackers have an eye for your assets. Rigorous updating and patching, along with practicing general security hygiene is of course wise; however, still not sufficient. For those deploying new technologies touted as the ultimate barrier against a security breach, proceed with caution. Eventually, someone will figure out how to hack into the new technology and you won’t have any improved capability to respond to the previously unknown threat.
3. Investigate, detect, and fortify. Lastly, we must understand that securing our networks and data also includes swift detection of the source and scope of any security incident. This is critical to enable quick and intelligent response. Rapid detection of a breach is arguably more important than just trying to prevent one. This holistic perspective helps you know exactly what is going on within your networks. Then, when something questionable happens, swift response to mitigate the incident provides more protection to your organization’s bottom line and brand equity than with prevention alone.