Personally, I think this is one of the most important concepts of today. Its simple enough to grasp and illustrates the point very well.
Consider these examples:
- From an effort perspective, the effort required to secure a system is significantly less than that required to exploit it.
- From a cost perspective, it is less expensive to prevent a serious data breach than it is to clean up and recover from one.
Point 1 above was illustrated very clearly to me on the IISP's TopGun event I attended recently, and is a scenario that you have to step back from to fully appreciate. Eg. If you have a smallish network, with most modern services such as web, email, mobile, databases, websites etc, then the effort to secure that is quite mammoth. You have to consider the perimeter, the information, how its stored and used, what services are on offer and the impacts etc. Then you have to consider every conceivable vulnerability, patching strategies and stay on top and at least up to speed with the curve of change. All of these efforts equate to a team of people, but all it takes to break in, is 1 person with a brain, motive, and a few freely available tools.
Point 2 of course, was illustrated very well by a study by the Pnemon Instutue LLC in conjunction with PGP and Vontu (Symantec), this study evaluated the true cost of a breach of data security and considered factors such as direct and indirect costs, and has trended the data over the last few years with enlightening results.
Despite both of these points clearly illustrating that the best way to tackle the security conundrum is head on and proactively, those of us in the industry will all surely testify that getting the right backing, funding, and often, even the right audience with the business, is still a hard task. From my perspective, I will keep on trying, and keep on flying the flag in the hope that one day reality sets in and my job / life gets easier!