In contemplating the question "So where does all this end?" there is good news and bad news. The bad news is that it never ends. We will always need to think about security. We will always need to update, modify, enhance, and grow our practices, technologies, and knowledge. We will always need to have a security staff, train our end-users, and be mindful of the evil, fang-toothed malefactors knocking at our doors.
The good news is that, if we do it right, effectively maintaining security from here until the end of time should be relatively easy and inexpensive. As has been proven time and again, companies that begin with and maintain good security practices can go hackerless for years without placing excessive resources into their security practices. Once the fundamental security concepts are known and practiced, security can be treated (for the most part) as a branch of the normal routine. As time goes on, as technology evolves, and as our ambitions and environments expand, we certainly will have to make updates, take classes, and read new books. We should never, however, need to overhaul our security infrastructure, or perform massive recovery because we were wiped out in a malicious attack.
Sunny Skies Ahead
Before we begin discussing the principles behind the security mind, it is important that we all agree on one major concept: It will never end. No matter how good our security is, it will always need to be maintained and improved. So the question is not, "When does it end?" but rather, "Where does the struggle end?"
Just as it is important to understand that security is an ongoing process, it is equally important to understand that maintaining good security practices does not have to be an ongoing struggle. No doubt about it, securing an organization can be difficult in the beginning. However, the horror stories we hear about companies spending endless amounts of time and effort and still getting hacked are almost all from the same source: companies that do not think with a security mind.
Don't get discouraged while reading the latest magazine article reporting that even the FBI is getting hacked. And don't let the employees, managers, or executives become pessimistic about adopting security practices. It is well within our capabilities to maintain a high level of security and go for long periods of time without being compromised. It is ultimately the organization's choice to struggle or not, to adopt good security practices or bad ones.