No. It’s not unacceptable to have a cyber incident. It happens. Just like any other type of business risk could. But it is unacceptable to be negligent. Negligence is knowing there’s work to be done, and simply turning your back on it. If you haven’t pentested, and remediated known vulnerabilities, that’s negligent. If you don’t have a response plan, and have no ability to detect attackers, that’s negligent. If your developers and device makers don’t think about secure design or get a code audit done – that’s negligence. If you do not know which process and partner to turn to in the event of a breach… that’s at least poor planning.
I think moving forward, we’ll see more emphasis on attack readiness, as the measure of how well organizations do when breached. These types of questions are not uncommon: “How can I know all the types of tools, techniques, staff, issues, ahhh!! Should I focus on protection, detection, response, cyber deception (these are neat)??”
I understand. We live in a fast paced, complex world. It takes a cyclic, maturing effort in IT, software development, cyber efforts, and more. Hire good leaders. Train your team. Engage excellent partners. Measure everything you can. Be sure you’re improving. Do right by your staff, customers, and the business. If you’re committed to those principles, I believe you’ll find a way to make the right choices in terms people, process, and technology. And I believe you’ll find a way to avoid more mistakes and attacks, or handle each event properly when they do occur.