The Sony hack is iconic in many ways. The attack devastated the organization, yet many chief information security officers (CISOs) defend Sony saying that the attack was inevitable. We, however, believe that although the attackers inevitably might have been able to gain access, it does not mean that the damage was inevitable.

Protection might inevitably fail, but if that failure can be detected and then the appropriate reaction implemented, the security program will not fail. Security is a program of combined protection, detection, and reaction. Although we do advocate Defense in Depth, it does need to be combined with the detection and reaction strategies.