A recent study conducted by British Telecom claims that 94% of the companies they polled expected to suffer a compromise sometime in 2009.
I guess companies are finally acknowledging one of Information Security's most sacred truths: Prevention eventually fails. I first heard this truism while reading Richard Bejtlich's fantastic book The Tao of Network Security Monitoring. In it, he claims that preventive controls are doomed to eventual failure due to 2 factors: Some intruders are smarter than the people securing the systems, and intruders are unpredictable.
These sobering facts recently prompted InfoSec pioneer Dan Greer to comment in an interview:
[...]the world we live in now is one where the rate of change is so great it is hard to develop a skilled craft because by the time you do, the problem set has moved on.
I think information security is quite possibly the most intellectually challenging profession on the planet. For that reason that what was true yesterday may not be tomorrow. In information security in particular, the rising fraction of R & D that is done by the opposition, and is funded by the opposition by its own revenue, is quite fascinating and makes things very difficult. At the same time, have we made progress? Sure. But the challenging aspect to this continues to be this rate of change and the degree to which you need to be on your toes all the time.
So, given that you will, eventually, suffer a breach, what's your plan? You *do* have an incident response plan, don't you? If you thought you had a 94% chance of getting into a car accident, you'd plan for that eventuality, wouldn't you?
If you don't have an Incident Response Plan, NIST's 800-61 publication, originally published in 2004 and refreshed last year, is a great place to start, and considered required reading by most InfoSec practitioners who have accepted the reality that prevention eventually fails.