Left of Breach: The Strategic Shift from Cyber Response to Cyber Readiness
Editor’s Note: This article presents a compelling reframing of cybersecurity strategy through the lens of HaystackID® Managing Director Jeffrey Fleming’s left-of-breach approach. Rather than chasing exotic nation-state threats that make for impressive war stories, Fleming argues that organizations should focus on realistic risks, such as disgruntled employees and compromised credentials—threats that are statistically more likely and can be just as damaging. The article effectively combines economic analysis of the cybercrime marketplace with practical guidance on conducting meaningful tabletop exercises that involve actual decision-makers and walk stakeholders through plausible situations that may arise in the current threat landscape. Throughout the piece, readers gain tactical insights into building cyber resilience and learn how to shift from a reactive to a proactive approach.
Left of Breach: The Strategic Shift from Cyber Response to Cyber Readiness
By HaystackID Staff
The cybersecurity industry loves a good war story. Companies often claim they’ve been targeted by the most sophisticated nation-state actors as a way to suggest a breach was inevitable to help deflect adverse regulatory penalties. However, according to HaystackID Managing Director Jeffrey Fleming, this focus on exotic threats overlooks the bigger picture.
“Everyone wants to say China or another advanced persistent threat hacked them,” Fleming said in a recent interview. “But in reality, that’s probably not your actual threat. Your real risk might be Joe Schmo, a less sophisticated actor, or the disgruntled employee you upset last week. That’s who you need to be prepared for. That’s what can land you in regulatory hot water or facing punitive damages.”
This insight cuts to the heart of a fundamental problem in modern cybersecurity: organizations are preparing for the wrong fights while leaving themselves vulnerable to more probable, and often more damaging, attacks.
The Dark Web Stock Market is Changing
The cybercrime economy operates like any other market, driven by supply, demand, and profitability. Ten years ago, US customer data was digital gold: full identity records, or “Fullz,” complete with information such as your mother’s maiden name, dates of birth, and Social Security numbers, could command $30 to $50 per record on dark web markets, according to Fleming. Today, they average $5 to $8.
This lucrative market drove massive investment in the theft of customer data. As companies responded by hardening these systems with encryption, access controls, and monitoring, basic economic principles took over: the price of traditional identity data plummeted.
“Companies got better at defending it, so that type of data doesn’t command the same price on the black market anymore,” Fleming explained.
The risk of detection has increased, and the market is saturated with that product; it is basic economics, according to Fleming. Criminal enterprises didn’t simply toss their hands up; they adapted and worked smarter, diversifying their portfolios like sophisticated investors and identifying new asset classes that offer better risk-adjusted returns. Medical records, for example, have emerged as prime targets due to their potential for extortion or medical fraud. Criminals can leverage sensitive health information for blackmail. Additionally, the ransomware economy has given rise to entirely new business models, rendering dark web ID fraud marketplaces obsolete by directly monetizing encrypted data through restoration payments.
Specialized criminal groups have emerged that operate as businesses. These groups focus specifically on breaking into networks, whether by stealing login credentials or using other technical methods. Then, they sell that access to other criminals. Perhaps most significantly, remote work and cloud computing have created new opportunities. Access credentials for cloud systems, VPN connections, and remote desktop protocols now command premium prices because they provide gateways to entire corporate networks. A single set of valid credentials can be worth more than thousands of individual identity records.
The most valuable assets aren’t always what executives expect. While C-suite leaders may assume their financial data or customer databases are prime targets, criminals often find more value in seemingly mundane information. Employee directories facilitate social engineering attacks. Vendor lists provide third-party attack vectors. Internal communications reveal vulnerabilities and strategic information. Bad actors have also discovered that certain companies aggregate valuable data from multiple sources. For instance, rather than breaking into each Fortune 100 company individually to steal earnings data or merger and acquisition information, they can target centralized repositories, such as the SEC filing system or top-tier M&A law firms. Each of these prime targets may hold data for dozens of deals, offering higher payoffs with lower risk compared to attacking multiple individual companies.
“Based on the breaches we’ve seen and the companies we’ve worked with, we can offer an external view,” Fleming said. “You give us a list of your data types and we tell you what’s most profitable to bad actors right now, and who is going after that. We can help with that risk review to ensure it aligns not only with what the C-suite considers important, but also with what criminal actors actually target. This helps organizations verify that their perceived top threats match the real threats based on current attacker motivations and tactics.”
This type of threat landscape assessment is exactly what our Global Advisory Services provide to organizations seeking to understand their real-world risk exposure. Rather than generic threat intelligence, Fleming and his colleagues deliver customized insights based on actual breach patterns and current criminal market dynamics.
Let’s Talk Numbers: The Real Mathematics of Security Debt
The financial impact of data breaches extends far beyond immediate technical remediation. When hackers access names and Social Security numbers, companies face a cascade of expenses: credit monitoring services, legal fees, regulatory fines, and reputational damage. At $25 per person for credit monitoring alone, a breach affecting two million records translates to $50 million in direct costs, and that is before accounting for regulatory penalties and business disruption.
These numbers fundamentally change executive calculations. Suddenly, investing in proactive cyber programs and tabletop exercises becomes essential business protection. The challenge is that many organizations only reach this realization after they’ve already experienced a breach.
The question as to why companies aren’t being more proactive is a simple cost equation. However, viewing cybersecurity resilience as a cost center creates a dangerous dynamic where security investments are deferred until they become crisis management expenses.
The reactive approach creates a classic compound interest problem that economists would recognize, working against the organization. Every month that passes without adequate preparation increases the potential cost of an eventual breach. Meanwhile, the organization continues to accumulate what could be called “security debt,” the growing gap between current defenses and the protection level needed to handle realistic threats. Like financial debt, security debt compounds over time, becoming exponentially more expensive to address.
Consider the operational disruption costs that are rarely factored into initial breach calculations. When systems go down, productivity comes to a halt. Customer service teams field angry calls. Sales teams lose deals. Supply chain partners lose confidence. The forensic investigation process can take months, during which key personnel are diverted from revenue-generating activities. These indirect costs often dwarf the direct remediation expenses, yet they’re precisely the costs that proactive security measures prevent. Fleming’s $50 million credit monitoring example represents just the tip of the iceberg; the visible costs that grab headlines while the larger operational and strategic impacts remain hidden beneath the surface.
The Left-of-Breach Imperative
The concept of left of breach represents a fundamental shift in cybersecurity thinking, from reactive damage control to proactive risk management. Consider two companies facing the same type of threats. Company A invests heavily in the latest threat detection tools, builds an impressive security operations center, and takes pride in its rapid incident response capabilities. Company B takes a different approach. They start by mapping their actual data assets, identifying which information would be most valuable to realistic threat actors, and conducting regular exercises with their leadership team.
When both companies eventually face a breach, and statistics suggest they will, the difference in outcomes is stark. Company A discovers the breach quickly and responds with technical precision, but their leadership team struggles with communication decisions they’ve never practiced. Legal notifications are delayed because no one remembers the exact regulatory requirements. The marketing team may scramble to craft messages without understanding the full scope of compromised data. What should have been a manageable incident becomes a regulatory crisis and PR disaster.
Company B’s response unfolds like a well-rehearsed play. Decision-makers are familiar with their roles because they’ve practiced them. Communication protocols activate smoothly because stakeholders understand both the technical and business implications. Regulatory notifications go out on time because legal representatives have been through this scenario multiple times in tabletop exercises.
While Company A faces the compound costs of extended incident response, regulatory fines for missed deadlines, and months of reputational recovery, Company B minimizes all three through preparation that costs a fraction of Company A’s reactive investments.
The left-of-breach imperative acknowledges that the most critical work occurs before an incident happens, not after. Fleming’s approach has three essential elements:
- Understanding your actual threat landscape rather than hyper-focusing on exotic attacks.
- Conducting economic risk assessments that reveal the actual cost of potential breaches.
- Implementing realistic preparedness testing that involves decision-makers in chaotic scenarios.
The regulatory landscape is increasingly requiring this type of preparation, with more jurisdictions mandating not just incident response plans but also regular testing and validation. Companies that wait for regulatory requirements or actual breaches to drive their preparedness efforts will find themselves paying exponentially more for reactive measures.
Building Tabletop Exercises That Actually Work
Many companies have incorporated tabletop exercises into their incident response preparation, but Fleming identified a critical flaw in how they conduct these exercises. Too often, organizations send junior representatives to stand in for key departments, missing crucial insights that senior stakeholders would provide.
“Sometimes they’ll send an intern to represent marketing or legal, and that intern doesn’t realize they should flag things like credit monitoring or a 48-hour regulatory notification requirement,” Fleming explains. “Those misses have downstream repercussions.”
Fleming explained that when an incident occurs, VPs and senior staff will be the ones called upon to make critical decisions in real time. Without prior practice and preparation, their response will likely be costly for the organization. Effective tabletop exercises require the actual decision-makers who would be involved in a real incident response. The legal team representative needs to understand regulatory notification requirements and why, when the hands-on keyboard folks are asking questions, the legal team doesn’t have days to conduct legal research on the matter; they need a quick response. The marketing representative must grasp the PR implications and communication strategies. The HR representative should be aware of internal investigation procedures and employee notification protocols.
Marketing response has become critical in today’s fast-paced media environment driven by social media and influencers. The first report sets out the narrative, even when outside reporting isn’t entirely accurate, forcing companies into a defensive position to refute misinformation. Well-prepared organizations maintain pre-approved statements ready for immediate deployment, allowing them to seize control of the media narrative from the outset. This isn’t just about having warm bodies in seats; it’s about ensuring that when a real breach occurs, the response team can minimize both the immediate damage and the long-term consequences.
The most successful tabletop exercises go beyond simple scenario walkthroughs to stress-test actual decision-making processes under pressure. They should simulate both the technical aspects of incident response and the human dynamics that determine whether an organization can execute its plans effectively. Certain scenarios to simulate may include:
- What happens when the CISO is traveling internationally during a breach?
- How does the team respond when initial assumptions about the attack vector prove incorrect?
- What if legal counsel is unavailable for the first six hours of response?
- What happens when public disclosure occurs and media outlets break the story first through their own sources or investigative reporting?
Effective exercises also need to account for the chaos factor inherent in real incidents. In actual breaches, information arrives in fragments, initial assessments are often wrong, and team members operate under extreme stress with incomplete data. The best tabletop exercises replicate this environment by introducing conflicting information, time pressure, and resource constraints. They force participants to make decisions with imperfect information.
Moreover, Fleming emphasized that tabletop exercises should extend beyond the immediate incident response to include longer-term business continuity considerations, such as how an organization will maintain operations while systems are compromised and the plan for customer communication.
Cyber Readiness Reimagined: Moving Beyond Reactive Security
Successfully maneuvering emerging cyber threats requires a fundamental shift from reactive security measures to proactive risk management. The goal isn’t to eliminate all cyber risk; that’s impossible. The goal is to understand your specific risks, prepare for the most likely scenarios, and ensure that when incidents do occur, your organization can respond effectively and minimize damage. Fleming has experienced exercises where executives claim the time to restore is eight hours and use that as their planning factor. Unfortunately, that number may not have come from their IT operations team, or ever been rehearsed or fact-checked, so they conduct the entire exercise with incorrect information, essentially practicing failure.
But moving from strategy to implementation requires more than good intentions. It demands expertise that spans cybersecurity, data science, legal compliance, and business operations. This is where specialized advisory services become essential. Our Global Advisory Services bring together industry experts organized into specialized practices designed to help organizations purposely plan, assess, report, and manage complex cybersecurity challenges. When a breach occurs, despite all preparation, rapid identification of sensitive data (PII/PHI) becomes critical for understanding regulatory risk and responding appropriately. Our cutting-edge process combines cyber forensics, data science, and legal expertise to create successful outcomes for corporations, breach coaches, and cyber insurance providers.
Equally important are our proactive services that embody the left-of-breach philosophy. Our data hygiene services help organizations understand what data they have and where it lives: the foundational knowledge required for effective threat assessment.
Learn more about how our Global Advisory Services can help your organization mitigate cyber risk through a comprehensive approach that turns cybersecurity from a cost center into a competitive advantage.
About HaystackID®
HaystackID® solves complex data challenges related to legal, compliance, regulatory, and cyber requirements. Core offerings include Global Advisory, Cybersecurity, Core Intelligence AI™, and ReviewRight® Global Managed Review, supported by its unified CoreFlex™ service interface. Recognized globally by industry leaders, including Chambers, Gartner, IDC, and Legaltech News, HaystackID helps corporations and legal practices manage data gravity, where information demands action, and workflow gravity, where critical requirements demand coordinated expertise, delivering innovative solutions with a continual focus on security, privacy, and integrity. Learn more at HaystackID.com.
Assisted by GAI and LLM technologies.
SOURCE: HaystackID