Information Security Expert Kevin Beaver

Security’s defensibility problem. Can you truly defend what you’ve built?

You’ve secured the budget. You’ve implemented the program. You’ve checked every box on the information security checklist. Frameworks? Followed. Best practices? Established. Policies? Written and approved. The technology stack is humming along, auditors are nodding approvingly, and consultants are signing off on your approach. Everything suggests your network and information assets are locked down tight. Then the breach happens. The investigation reveals gaps you never saw coming. How did this occur when you did everything right?

We’re masters of self-deception. We do it with our health, telling ourselves we’re fine until the bloodwork or imaging shows otherwise. We do it with money, assuming our financial house is in order until it isn’t. In business, we’re particularly good at this with IT and security. Boxes get checked. IT teams believe they’ve done their part with proper visibility and controls. Management feels confident because they approved the spending and see security activity happening. Even users are engaged after sitting through awareness training. Yet this checkbox mentality is precisely what leads to security incidents and breaches. We want fast results. We crave completion. There’s a dangerous assumption that following prescribed best practices automatically equals adequate security. It doesn’t.

Through my work conducting independent vulnerability and penetration testing, security program reviews, and serving as a virtual CISO, I see plenty of security programs that look impressive at first glance. Dig deeper, though, and you’ll find much of it creates nothing more than false confidence. IT and security teams are stretched thin and often lack proper training. Security tools and services are underimplemented. Users remain unaware of how their behavior is impacting business risk. And yes, executives frequently have no idea what’s actually happening with security. <=Note the date of this post. I’m not claiming every security program I encounter is broken. Good work is happening, now more than ever. The problem is the gap between what exists, how it’s actually being used, and how success is being measured. This creates what I call a defensibility problem. Things look acceptable on paper but won’t hold up when something goes wrong.

I’ve served as an expert witness in data breach and compliance cases. I’ve watched what happens when lawyers arrive and investigations unfold. It consistently comes down to one question: can the breached organization demonstrate they took a solid, defensible approach to security? This is where most security programs fail. That “get it done and move on” mentality leaves programs incomplete. Security exists in theory, but risks remain very real in practice.

Starting now, and continuing as a regular discipline, make certain you’re not just performing security theater. Your efforts must generate measurable results and genuine business value. Want to identify the 20 percent of security issues creating 80 percent of your problems? Bring in outside perspective. An independent party with no stake in the outcome can see what your internal team cannot. If you insist on keeping assessments internal, ensure your security team operates independently from IT. Don’t let the fox guard the henhouse. Whatever your assessment approach, establish proven security metrics across all security areas: technical controls, operations, user education, and more. Measure them. Improve them over time.

You won’t prevent every security incident. You’ll almost certainly face a breach eventually. What matters is taking a defensible approach to security. Don’t spend money and go through motions just to create the appearance of a solid program. Trust, but verify. Have the discipline to regularly evaluate and assess, looking for improvement opportunities. This approach serves multiple purposes: it helps you achieve long-term security objectives, creates competitive advantage, and ensures the business remains viable for the long haul.