Given enough adoption of secure policies and frameworks and a threat agent with adequate resources, access and motivation any control/countermeasure/safeguard can be overcome.
This means that a sufficiently motivated and backed threat agent (nee “hacker”) can defeat any one (and in multiple cases, any) security controls put in place.
Key takeaway: If you want to enhance security you must build partnerships where you understand what business wants to do, how badly it wants to accomplish it and what costs of security is is willing to endure.
The implication of this is that security isn’t just about technology; it is fundamentally a partnership of technology and culture. Controls that were effective hundreds of years ago are ineffective today because their vulnerabilities are well-known.
Infosec or security requires that appropriate technological means are employed (for the military this may mean assigning value to items and then categorizing them such that any subject without appropriate security cannot access the objects). Because security is only as viable as its weakest link, security also requires a partnership of all subjects within a domain (e.g. a company) to accept certain standards and adhere to those without deviation.
That doesn’t mean there can’t be discussion or that risk mitigation drives the choices; business is business and most companies aren’t willing to be 100% secure … or else they’d just close the doors and turn off the lights.
If you don’t believe security has a need to build partnerships that are consistent and sustainable, consider that the hacking of security giant RSA was achieved because a couple of employees decided to open an Excel spreadsheet that was emailed to them.
Had those individuals understood the corporate security policies and agreed that those policies weren’t too burdensome or were warranted RSA wouldn’t have been compromised. The company had the appropriate technological security applied; it had policies that had protected it against APTs before and, ostensibly, since. It was that moment-in-time decision that allowed at least one person to open the door to a patient, persistent threat agent.