The result, he said, is that attackers, "are winning by every possible measure."
His colleagues in the industry may not agree with all of that, but most think he got the essentials right. John Pirc, chief strategy officer at Bricata, said he "totally agrees" that the perimeter mindset is still too prevalent. "Security needs to move deeper within the network. The need is for visibility in the data center rather than on premise or the cloud," he said.
Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals, is another. "Sadly, he is mostly correct regarding many companies that are still in the 'prevent the attack,' or 'don't let them in' mentality," he said, even though the, "more mature and enlightened have known for years, if not decades, that the attackers will occasionally break in and that you will need to be prepared."
Chuvakin said virtually every security pro has been, "taught the prevention/detection/response mantra, but at many places the spend is mostly on prevention, and preventative technology gets the attention."
Muddu Sudhakar, CEO of Caspida, said he agrees that adversaries are winning, noting that, "the FBI Cyber Division head commented last week that while they used to learn about a large-scale breach every two to three weeks, it is now every two to three days."
But he said context is important. "The bad guys only have to succeed once, while defending data has to succeed 100% of the time," he said.
Rob Kraus, director of security research and strategy at Solutionary, also said context matters. He said simply declaring that the "good guys" are losing neglects the ebb and flow of the battle.
"As advances are made by the good guys, the enemy will re-evaluate and re-deploy capabilities in a way that can circumvent their attack or defensive postures. The challenge with the cyberworld focus is that the battle moves much more quickly, and is even more multi-dimensional."
But he agrees with Yoran that there is still too much reliance on defending perimeters. "Many organizations are still locked into the concept that the castle walls will protect the bad guys from getting in," he said. "Most are not thinking about those who climbed over or tunneled under those walls.
Ron Gula, CEO of Tenable Network Security, says while he agrees that, "most organizations operate, support customers and do business in the environment Amit describes," it is hard to claim with certainty what the state of security really is.
"It could be much worse than Amit describes, but it could also be much better," he said.
He said breaches, while they are an increasing fact of life, are no longer the most important challenge for the industry. "Hacking data alone isn't getting a huge response from the public," he said. "The next level we are moving to is real cyber warfare or cyber terrorism."
Sign up for MIS Asia eNewsletters.