I think your perspective is either immature or unrealistic.
OP's a realistic. His perspective is nothing to do with how a company values security.
No one in security assumes they won't get hacked, we assume we will and when we do get compromised. Our metrics aren't measured on if, our success metrics are:
* How quickly we find out
* How much damage we can mitigate
* How quickly we mitigate the risks and controls for X vulnerability and
* How we incorporate our reporting to find trends to find the event quicker next time
Now we report on many compromises. I'm not talking just about data breaches here, there's a whole spectrum of compromises that we manage and mitigate.
I don't know anyone who operates in Security who has a different mindset to OP.
> OP's a realistic. His perspective is nothing to do with how a company values security.
Of course it does. The stick is not big enough so CSOs just do not care enough. Increase a size of the stick and it would split the group of CSOs into two:
1. Like OP will run away saying "I'm not going to put myself in a line of fire if crap gets hacked". We need broomsticks for those.
2. The ones that will say "OK, two years", do their best and probably succeed.
Having practices in case for the event of a hack is obviously good, but it doesn't imply believing that you can't control getting hacked and can't win against the hackers (previous poster's exact words).
It's because you can't control it. There are limitless attackers and vectors. Security is mostly a game of being hardened enough to where most of those attackers will give up and go off looking for easier targets. Against a zero-day that nobody knows about yet, or an extremely determined attacker with a lot of patience? You will eventually lose, and you have to do your best to detect when it happens and act accordingly, as stated previously.
OP's a realistic. His perspective is nothing to do with how a company values security.
No one in security assumes they won't get hacked, we assume we will and when we do get compromised. Our metrics aren't measured on if, our success metrics are:
* How quickly we find out * How much damage we can mitigate * How quickly we mitigate the risks and controls for X vulnerability and * How we incorporate our reporting to find trends to find the event quicker next time
Now we report on many compromises. I'm not talking just about data breaches here, there's a whole spectrum of compromises that we manage and mitigate.
I don't know anyone who operates in Security who has a different mindset to OP.