Because security functions in nearly equal parts proactive and active mode, the best way to minimize potential damage is by limiting the human error through security awareness.
When those processes and procedures are in place, and they have an incident response plan, they can test them which will lead to important conversations. "They can talk about offensive attacks to disrupt attacks in process so that you know you are in compliance and that you have the right to do this or that," Johnson said.
The bigger challenge to winning the game is not in offense or defense as much as it is in planning. Johnson said, "If you plan for it and everyone has looked at it and signed off, you don't have to worry, but a lot of companies don't plan for it."
Because there seems to be some ambiguity in interpreting the law, aggressively responding might not be the most prudent path. Dana Simberkoff, chief compliance and risk officer at AvePoint, said that outside of attacking their attackers, there are lots of things enterprises can do to be proactive.
"Understand the data that you hold, the more valuable, the more likely you are to be attacked," Simberkoff said. Companies that collect more data than they need and keep it forever in the hopes that it will someday be useful are putting their data at greater risk.
"It's counterintuitive to best security practices. Even Snowden was not particularly creative. That should have been able to have been prevented," said Simberkoff. The mistakes aren't necessarily in the technical part of defense, but in the human errors.
"I've worked with privacy and security teams that definitely believe that responding in an aggressive way is the approach they should take, but I still feel like most vulnerabilities can be addressed by education and good policies and procedures," Simberkoff said.
That's why the teams that are topping the ratings charts in the NFL aren't the ones who are ranking first in either offense or defense. They are the ones that are holistically playing a better game.