Kelly at Dark Reading posted an interesting article today, based on a survey done by BT around hacking and penetration testing. I tend to take most of the stats in there with a bit of skepticism (as I do any time a vendor publishes numbers that favor their products), but I totally agree with the first number:

Call it realism, or call it pessimism, but most organizations today are resigned to getting hacked. In fact, a full 94 percent expect to suffer a successful breach in the next 12 months, according to a new study on ethical hacking to be released by British Telecom (BT) later this week.

The other 6% are either banking on luck or deluding themselves.

You see, there’s really no difference between cybercrime and normal crime anymore. If you’ve ever been involved with physical security in an organization, you know that everyone suffers some level of losses. The job of corporate security and risk management is to keep those losses to an acceptable level, not eliminate them.

It’s called shrinkage, and it’s totally normal.

I have no doubts I’ll get hacked at some point, just as I’ve suffered from various petty crime over the years. My job is to prepare, make it tough on the bad guys, and minimize the damage to the best of my ability when something finally happens. As Rothman says, “REACT FASTER”, and as I like to say, “REACT FASTER AND BETTER”.

Once you’ve accepted your death, it’s a lot easier to enjoy life.