Can a network be defended and secured? Of course, observe the red team / blue team activities that are executed by businesses, governments, and at conferences. There is one catch, these do not reflect reality. Businesses are living networks and under constant change either directly encouraged or indirectly effected by the windows of the market and universe as a whole.
A fine quote that brought this to bear for me was published in an NSA publication stating: “One simply must realize that while the search for the right foundations proceeds, construction will continue.” where the article describes how the Duomo in Florence was built without an understanding of how to build the planned dome at the top. That is akin to information security today – the challenge and task of information security is to build and execute a security program that reflects that the business is in constant development, and we will not always “know” what is effective for where we are going. Think Mobile and Cloud security as the current sources of concern and challenge.
The takeaway is to recognize that the standards organizations build their security programs upon (ISO 27001, NIST) and are regulated / audited against (PCI DSS, NERC/FERC) are in themselves in a constant state of change. This is only matched by the dynamics of the changing foundations of what information security is protecting (mobile, cloud, etc..) and the market demands placed on the organization. Being still is not the answer, but instead iterating rapidly with a conscious focus on the strategy of the organization with an enabling security program will enhance the longevity of the organization and the relative effectiveness of the security compliance program itself.
NSA Article referenced: “Cybersecurity: From engineering to science” by Carl Landwehr
James DeLuccia IV