The only approach is to abandon the pure play of prevention, and move to a more mature model of resilience. Resilience is powerful precisely because it gets us to the true definition of security—being ok no matter what.
Over the years I’ve said something like that second paragraph to the CISO or security director only to receive a blank stare or admonition not to say anything like that to an executive team. It’s time for security folks to admit the truth.
My viewpoint is one I learned over the years from reading Christopher Hoff’s blog, Rational Survivability.
