0 reportable cybersecurity incidents

At first glance, achieving 0 reportable cybersecurity incidents seem to be a commendable achievement. Other industries set similar KPIs, i.e. 0 workplace injuries. However, we must understand that this is extremely tough because we are facing an active adversary that is attacking constantly. Imagine if workplaces have to deal with wear and tear, human mistakes and also saboteurs actively trying to damage equipment.

This is why the cybersecurity industry has moved towards a defense in depth approach, acknowledging that we cannot prevent 100% of incidents, aiming to minimise the time taken to detect and respond to an incident, rather than solely focusing on preventing incidents. In fact, large cybersecurity teams have incident managers and forensics specialists, whose full time role is to respond to an incident. To continue with the workplace analogy, this is akin to having safeguards and redundancies in every piece of equipment, and having medical personnel and vehicles on standby at the worksite to reduce response time.

In fact, I would even argue that 0 reportable cybersecurity incidents is a bad sign. It points to a severe lack in detection capability, if you cannot even see the attack happening, of course you stand no chance of blocking or responding to the attack. The other explanation is a cover up. Pressure from management to not report the incident might hide what appears to be a rotten core underneath a perfect security record.