It's important for security practitioners to assess security tools and understand exactly what it is they want a tool or service to provide. Semrua said, "Make sure those tools or services are able to deliver on those needs, and verify that the information being used to power those solutions are rooted in quality and reliable information."
Those that are quick to see security tools as an answer to a vulnerability score are potentially being too simplistic, Durbin said. "The whole risk arena is becoming more complex. They need to be rethinking how they measure vulnerabilities, not just complying with compliance."
In addition to anticipating threats, enterprises also need to grow more resilient. "It's not as simple as what we have done in the past," said Durbin. Assessing the value of the assets will shed some light on where the vulnerabilities might reside.
"We need to be doing a business impact assessment to understand the threat environment and how that is changing. Then we can understand the risk associated with that and the risk appetite related to a particular vulnerability," Durbin said.
Security needs to become more sophisticated, which means having a working awareness of the value of the business assets and the impact of loss or down time. The risk isn't only in the ability to deliver service. It's also the impact on brand and reputation and the way the enterprise is viewed against its competition.
Enterprises that suffer a breach can be sure to see their name not only in headlines but also in tweets and Facebook feeds.
Sign up for CIO Asia eNewsletters.