I hope the title of this post isn’t what John Sawyer is suggesting in his recent blog. I don’t think he really means to say that we shouldn’t attempt to protect the data that has been entrusted to us in our IT jobs. I’m hoping he means at the same time we attempt to protect the data, we should also be proactive in our thought processes to prepare for a breach.

I do agree wholeheartedly with the sentiment of this quote:

Can you imagine walking into your CIO or CISO’s office and telling them that they need to come to grips with the fact that the security mechanisms they have spent tens to hundreds of thousands of dollars on will fail? That’s not a conversation I would want to have, but it is the mindset that needs to be adopted and built into policy and security mechanisms as they are designed and deployed” (Sawyer, 2008, ¶ 3).

In fact, if the CIO or CISO isn’t aware that the security mechanisms can (and probably will) fail, he or she shouldn’t be in that position in the first place. Just as we prepare for the worst in disaster recovery and business continuity planning, we should prepare for the worst in security and data breaches. That way, when (or if) it does happen, the company can handle the situation, and move on, reducing the amount of stress and anxiety over the situation, allowing employees to get back to the job at hand.

— Sawyer, John H. (2008, September 10). Inevitability of Failure. Evil Bits. Darkreading.com. http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=163473.