"At the same time, today's large organizations are highly complex, and there are practical limits on the resources that can be thrown at' the problem," Powers says. "The only feasible option in this environment is to recognize that it is not feasible to afford the same degree of protection to all assets, or to treat all risk factors as being equal."
According to the Global State of Information Security Survey 2014 by CIO and CSO Magazines and consulting firm PwC, security breaches are increasing. The average respondent had 2,562 incidents that threatened some aspect of computer security two years ago, and this rose to 3,741 in 2013.
"Not all those are impactful, but with that type of volume, some are going to get through and you do need to be able to detect and respond," says Mark Lobel, principal in PwC's security advisory practice. "That's why there needs to be a balance between prevention and detection/response -- not just one or the other."
Companies shouldn't "abandon their prevention mindset in lieu of rapid detection and effective response," adds John South, CSO at Heartland Payment Systems, a large payments processor. "In fact, I would argue that each of these support each other in an effective security strategy, given the capabilities of the attackers. We still have to provide the defense in depth -- the castle walls, tripwires and alerts--that we have provided in the past to protect our environments."
The change in thinking today should be that while prevention capabilities are in place and working effectively, the rapid detection of anomalous activity needs to increase, South says. "In effect, our mean time to detection (MTD) needs to decrease from months to minutes," he says. "Depending on whose statistics you read today, the average MTD ranges from 100 to 180 days or more, giving the attackers the distinct advantage of time."
There are hardware solutions and applications available to help companies detect attacks, South says, but "it is difficult -- and in some cases impossible -- for an entity to protect itself using only its own resources and personnel. With the sophistication of the attackers, it is difficult to reduce the signal-to-noise enough to detect the anomalous activity among all of the other network activity. One essential element that can assist in early prevention and detection is information and intelligence sharing."
Indeed, going forward companies might find themselves sharing more information about security. For years, organizations kept their security information secret from others under the philosophy that weaknesses could be used as a business advantage against them, South says. "This led to environments where the only source of intelligence about who was attacking you was the attacks themselves," he says.
Sign up for CIO Asia eNewsletters.