However, accepting the inevitability of compromise does not mean that we have to accept the inevitability of loss. We can manage risk to an acceptable level. We won’t stop every individual attack, but we can reduce the window of vulnerability from all attacks, and put the balance of control back firmly in the hands of security practitioners.
Although our industry has been talking about risk‐based security for a while, the fact remains that few organizations do it meaningfully and well. We must learn to evaluate risk at more substantive and granular levels. There’s risk, and then there’s risk.
Fundamentally, risk is a function of three components: How vulnerable you are to attack; how likely you are to be targeted; and the value of what’s at stake. In a world of advanced threats, we must evaluate risk not just from the inside out, but the outside in as well.
In looking at your organization from the point of view of your attackers, you are more likely to spot critical vulnerabilities and be able to focus your risk mitigation efforts.
-- Art Coviello, Executive Vice President of EMC and Executive Chairman of RSA
Note: emphasis is mine.
Src: RSA Conference Keynote from Art Coviello, “Sustaining Trust in a Hyperconnected World” (San Francisco, February 28, 2012)