Imagine for a second that your boss came up to you and said, “We’ve been compromised. Assume trust doesn’t exist. Now define our new security organization and architecture!” Unfortunately, it may take events like that to change our perceptions or actions when approaching securing our organizations.

Less is More?, by leosaumurejr

Depending on who you talk to, we already are living in a state of compromise. I prefer removing the element of trust form my strategy as much as I can, and focus on how I would secure a system, application, or network if I knew there were hostile elements in it. Changes your perspective a bit, doesn’t it? All of the sudden, those satellite locations start looking less like friends and more like foes.

You have unrealistic expectations if you think you can keep attackers out of your networks. Networks today are too big and too porous, and attackers are too cunning and persistent. A state of constant compromise cannot mean constant loss as that would spell the end of the enterprise. So what does living in a state of compromise look like from a defense perspective?

As much as people hate to hear it, the strength of your foundation is critical. You must build core IT security concepts into your organization’s culture. Things like least privilege (we have too many admins), defense in depth (build many walls, don’t rely solely on any one), and taking an info-centric approach (centralize and protect the assets you value) are critical to keeping the high value stuff safe.

Speaking of that high value stuff, do you know where it lives? Do you know who accesses them and how the business uses them? Do you know how to lock them down in the event of a breach, and how to ensure they are still available to the business throughout that process? You must answer these questions if you intend to survive in a state of compromise.

This post originally appeared on