The Data Breach Question: No Longer an “If” But “When”

If the increasingly frequent news of large-scale data breaches (i.e. Ashley Madison, Target, Sony, etc.) has proven anything, it confirms that there’s no longer a question of whether an organization will be breached, but rather when. Companies need to know what to do to mitigate this risk and how to quickly respond to contain the damage breaches like these cause when they do happen. While executives, board members, consumers, employees, and partners are all concerned about breaches, it’s only companies that are proactive in building internal safeguards to minimize the impact of a breach that are in a much better position to defend against their cost and damage.

The shift that we are seeing was evident on a recent trip I made to the Gartner Security and Risk Management Summit in Sydney, followed by our customer conference, SailPoint Live. During these two events, I found myself in conversation after conversation with customers and prospects regarding their company’s attitude on the topic of breaches. These discussions made it clear that companies have made a mental shift from relying on the prevention of breaches at the perimeter to ensuring they have damage control and resiliency when one does occur. It no longer seems to be a career-limiting move for a security professional to make a statement such as “I know we are likely to be breached, I just don’t know how.” What they did feel would be career-limiting, however, is being exposed as unprepared and ill-equipped to minimize the damage associated with a breach. This new attitude is reshaping how organizations approach IT security.

The reality is that it’s next to impossible to predict and stop every attack. In today’s digital world, users need access to a myriad of critical systems, applications, and data in order to do their jobs. These assets not only exist behind the corporate firewall, but the growing trend of SaaS application adoption often means that they exist outside of the corporate network, as well. Add the fact that the way users are accessing these assets is becoming ever more diversified through the adoption of mobile computing, and you have a very complex environment. The traditional network perimeter is rapidly vanishing, so relying on a well-protected wall around the corporate network is no longer a sufficient form of security.

One of the most encouraging signs of the change in attitude I witnessed in my discussion was that the vast majority of organizations are recognizing the need for visibility and control over who has access to what for all application types, both in the cloud and on-premises, independent of the device they are using for that access. This is precisely what identity and access management does. Putting an effective identity management solution at the center of their security strategy allows organizations to quickly react to a breach, better understand who and what is at risk and potentially shut down an attack from spreading. So, while we should do what we can to protect against a breach, there are definitive steps an organization can take to increase its resiliency and potentially reduce the negative impact of a breach when it does occur. After all, it’s the severity of the data loss, not simply the fact that they were breached, that will impact a company’s business, damage its brand and ultimately, impact its bottom-line.