As a result, some organizations spent weeks -- even months -- trying to inventory their systems and figure out where they'd used the vulnerable version of SSL.
Organizations need to start with a thorough understanding of what applications they're using, where and how they're using them, and their relative importance. Automated scanning systems might help with some of this, but at the end of the day, "the rubber has to hit the road," West said. "It takes human effort."
3. Pen tests are lies
Penetration tests are a common part of security audits. In fact, they're required under the Payment Card Industry Data Security Standard.
"Every single company that's been breached has had a penetration test report that says that people can't get in -- or if they can get it, it's not important," said J.J. Thompson, CEO of Rook Security, a penetration testing company in Indianapolis.
So why aren't penetration tests exposing potential security holes so that companies can fix them?
"It's very simple," said Thompson. "Penetration test reports are generally lies."
Or, to be less blunt, penetration testers are more constrained in what they can and cannot do, compared to actual hackers.
"You can't impersonate someone because that's not how we do things here," Thompson said. "You can't set up a phishing site associated with a Facebook profile because that's going too far."
Actual hackers -- who are already breaking the law anyway, by hacking into a company -- might not be averse to breaking other laws, as well. A white hat security firm might be less willing to, say, get into a company by going after the systems of its customers or vendors. Or impersonate government officials, or damage equipment, or hijack actual social media accounts owned by friends or family members of company employees.
4. Physical security, meet cybersecurity
Agents of a foreign group recently went after an organization on the East Coast, circumventing firewalls, extracting data on its leadership, and getting information about upcoming events -- and the facilities where those events would be taking place.
"Authorities believed it was part of the pre-operational planning of the group," said John Cohen, who until recently was the anti-terrorism coordinator and acting undersecretary for intelligence and analysis at the Department of Homeland Security.
"There's a blending together of physical security and cybersecurity," said Cohen, who is now the chief strategy adviser at Frisco, Texas-based security vendor Encryptics LLC.
It can go the other way, too, with a physical break-in opening the way to digital theft via compromised equipment.
Enterprise security must become more holistic. The thieves who broke into a field office could have been looking for easy-to-fence electronics, or they could have been planting keyloggers.
Sign up for CIO Asia eNewsletters.