Is “winning” the objective in cybersecurity? That’s one of the questions that people have been debating on my social media channels.

The first question you must ask is, “What is your definition of winning?” If winning means staying in business, growing, and keeping customers, then yes winning is absolutely the name of the game.

However if you define winning as putting points on the board to go after and harm the adversary, then I would say that is not the right definition.

Here’s why.

We’re mainly doing defense in cybersecurity. We’re mainly trying to defend and stop the offense from scoring. If you watch football and see games where the best defense team plays the worst offense… the offense still scores. There are very few games in NFL history where one of the teams scored zero points. It can happen. It occurs once in a blue moon. But it’s rare.

The reason why the offense scores almost every single game is because offense is so much easier. The offense only has to find ONE vulnerability or weakness. But the defense has to find ALL of the vulnerabilities and weaknesses.

The probability that the offense will score is pretty high. The probability that someone is going to compromise or break into your organization is pretty high. To me, that’s not even the top concern.

Rather, you should be asking yourself, “Did you detect it in a timely manner,” and “Did you control the damage?”

That’s what determines if you’re winning or losing the war on cybersecurity.

If you’re a large hotel who was compromised for four years and had 500 records stolen (for this example, I’ll call the hotel “Barriott”), then I’d say that you lost that game. You definitely lost.

I can’t mention their names (because they’re my clients), but I have many hotel chains that have been compromised (just like “Barriott”), yet they detected it in a week and there were only 300 records stolen. I call that winning!

When we’re talking about what it means to win in cyberspace… Winning means catching an attack in a timely manner and controlling the damage. It does not mean that you’re never going to get breached.

Any company using computers connected to the internet should know that the offense will score. Our goal is to minimize the points, control the damage, and minimize the frequency in which that happens.

If you’re catching attackers within a short period with only a minimal amount of damage, then yes (high five!) you’re winning.

If you’re not detecting attacks for four years and you have 500 million records that got stolen… I’m putting you in the losing column.

Remember, winning really has to do with visibility, detection, and controlling the damage.

For more tips on staying safe in cyberspace, keep checking out my blogs or follow me on Facebook, Twitter, or Linked In. For your own company’s security assessment or any other questions or concerns, reach out to me at