Information security is in the midst of a major shift. What had been a purely technical, defensive, IT problem is now a whole-organization risk management problem. As the industry undergoes this wholesale shift in mindset, enterprises are struggling to catch up.

Until a few years ago, an enterprise could approach information security technically: by installing a few defensive products from reputable vendors, an organization could feel relatively secure in its perimeter and would be understood by its investors, partners, and customers to have taken adequate precautions.

This is no longer the case. The sophistication of threats and the breadth of attack surfaces have increased in a way that means sensitive information is always at risk.

As that realization spreads throughout the industry, it is bringing with it an understanding that defense, while necessary, is no longer sufficient. The question is, if that’s the case, what’s next, and how do we think about the problem?


At the simplest level, managing most risks comes down to getting the basics right, implementing a few clever tricks on top of that, remaining vigilant, and having a remediation plan in place. If you think of preparing for a flood, there is some level of storm that any well-built structure should be able to withstand. Then there is some more severe flood that a structure can withstand if its occupants are willing to undergo a certain level of inconvenience. And finally, there are some storms that no amount of preparation can prepare a building for – its occupants must be prepared for this eventuality, and have an exit plan, a cleanup plan, and, ultimately, insurance.

It is simultaneously impossible to assume complete safety and foolish to do nothing. The basics will protect against 90% of storms, and some more advanced precautions will cover 9% of that last 10%. The last 1% is all about preparedness and remediation, and it’s the 1% that the industry is still wrestling with how to address.


First, maintain a realistic perspective of damage and preparedness. No one counts the impact of a storm by the number of individual rain drops. Five malware events occur every second: that’s not the most useful way to think about protecting information. Organizations should use their time and resources to create a security infrastructure capable of withstanding a high-impact event, rather than becoming overwhelmed with the possibility of a few drops.

Second, prepare for events before they occur. In the same way that you would patch your roof ahead of a hurricane, organizations need to assess, identify, and address vulnerabilities before a data breach occurs. Of the vulnerabilities exploited last year, 99% were compromised more than a full year after patches that would have prevented the breach had been issued. Any structure expected to withstand even the most rudimentary of storms requires preventative maintenance.

Third, organizations must take proactive steps to be aware of their surroundings. On average, it takes organizations 206 days to discover a breach. As a homeowner, you would not ignore the sound of dripping water from January until July – you would check for an open window.

Being proactive is where Matchlight comes in. With Matchlight’s proprietary technology, organizations can detect the appearance of their private information on the web in minutes or seconds, rather than after months or years of exposed information.

Ultimately, there are times when a storm will damage your home. But with the proper preparation and a proactive posture, organizations can limit the damage and remain resilient.