In thirty years of responding to security incidents, I’ve never once been called in because a firewall failed. I get the call because something was already inside — quietly — for weeks or months, and nobody knew until the damage surfaced somewhere it couldn’t be ignored.
That gap, between compromise and discovery, is where reputations are lost. And it’s the part of security most organizations under-fund.
Prevention is a budget magnet
Prevention is easy to sell. It’s a product you can buy, a wall you can point to, a line item that reassures the board. So that’s where the money goes. The trouble is that a determined adversary only has to be right once, and walls don’t tell you when they’ve been climbed.
Assume you’re already compromised. Then ask how long it would take you to find out.
When I ask a leadership team how quickly they’d detect an intruder who was already past the perimeter, the honest answer is usually a shrug. That shrug is the actual vulnerability.
Detection is a discipline, not a dashboard
Buying a monitoring tool is not detection. Detection is knowing what normal looks like on your network so that abnormal stands out — and having someone whose job is to look. It’s unglamorous, ongoing work, which is exactly why it gets skipped.
- Baseline what normal traffic and access actually look like.
- Instrument the systems that matter most, not all of them equally.
- Rehearse the response before you need it, like any other emergency.
The forensic mindset pays for itself
The same evidentiary discipline that holds up in a courtroom — chain of custody, provable timelines, conclusions you can defend under cross-examination — is what lets you answer the only questions that matter after an incident: what happened, how far did it go, and is it over? Organizations that can answer those quickly recover. The ones that can’t spend months guessing in public.
You don’t have to choose between prevention and detection. But if your security program can’t tell you when it has already failed, it isn’t finished.
Leave a Reply