A throwaway joke got me thinking recently. Any system that appears secure might just be that way because it hasn’t yet been compromised. And as we say in this game, there’s only two types of companies out there, those that have been breached and those that don’t know they’ve been breached.
First, the joke. Dickens says ‘It was the best of times; it was the worst of times’. To which Schrödinger replies, ‘Nice, nice.’ Dads of the world, draw nearer.
Now, what’s that got to do with anything? Well, as all you quantum mechanics enthusiasts out there know, Schrödinger’s Cat is a thought experiment involving a hypothetical kitty in a box. The cat may be alive, or it might not be. It exists in a state of superposition—both alive and dead—until the box is opened and its fate observed.
Cybersecurity operates under a similarly puzzling principle: a system might be both secure and compromised until someone tests it thoroughly enough to find out, or a hacker gets in. Call it Schrödinger’s Breach—the notion that a network, application, or database only appears secure because it hasn’t been breached yet, but its true state remains uncertain until a determined adversary pries it open.
Even then, absolute certainty eludes us, as the absence of a breach today doesn’t guarantee safety tomorrow. Yes, that’s some Christopher Nolan-level trickery.
This paradox defines the modern cybersecurity landscape. We erect defences including stuff like firewalls, encryption, intrusion detection systems, and Malware Free Networks (which Advantage uses) and assume that with these measures comes inviolable security.
But security isn’t fixed. It also isn’t inviolable. Instead, it’s a hypothesis awaiting a counterexample. A system isn’t secure because it’s impregnable; we just think it’s secure because no one has cracked it yet.
When a breach occurs, the illusion shatters, revealing vulnerabilities that were there all along, lurking unobserved. Until that moment, there’s a superposition of states: safe yet vulnerable, protected yet exposed. Inception-esque stuff, but worth pondering.
Let’s then consider Schrödinger’s Breach in the context of ‘dwell time’, which turns out to be a bit of ‘realpolitik’. Globally, the average time between a breach and finding out about it is around 194 days. That’s over six months of silent compromise, potential data theft, system manipulation, or undetected sabotage before opening the box and revealing the cat’s fate.
Throw in threat intelligence, and the picture improves but not by much, shaving around 28 days off on average. During this time, again, the system exists in a dual reality—functioning as intended, apparently secure, but, well, not really. Nervous yet? You should be!
Historical breaches underscore this principle. Equifax, SolarWinds, and Colonial Pipeline were all considered secure. Security teams no doubt assumed everything was in order, because why wouldn’t they. Right up until Schrödinger’s Breach turned out to be Pandora’s Box.
So, what’s the lesson here? It isn’t about negligence, but rather the nature of observation. A clean audit or a passed penetration test doesn’t confirm security; it suggests no one has looked hard enough.
And another paradox arises, for those keen on looking really, really hard. Ethical hackers operate within constraints like time, scope, and legality, while real adversaries, from ransomware crews to nation-states, face no such limits. They probe relentlessly, exploiting zero-days, human error, or obscure misconfigurations, collapsing the system’s state from ‘secure’ to ‘compromised’ with a single move on that one bit you didn’t consider.
So how do we navigate Schrödinger’s Breach? First, and as most in the infosec space will agree, ditch the fantasy of absolute security. No system is unbreachable, so the aim is resilience, not perfection. Along with MFN, we recommend zero-trust architectures, treating every user and device as a potential threat and shift the focus from prevention to continuous verification. And, with MDR, detection becomes as vital as defence—because you can’t protect what you don’t see (and you really don’t want ‘Schrödinger’ poking around for any amount of time, let alone months).
Finally, it is worth changing how we think about breaches (and I do believe this is happening). Rather than looking at compromises as failures of people or process, consider them to be symptoms of the reality that uncertainty is, along with death and taxes, an inevitability in cybersecurity.
The box is always about risk – and security, then, is risk management and not risk prevention.
