Dr. Larry Ponemon on Why Containment — Not Prevention — Is the Future of Cybersecurity

What keeps Dr. Larry Ponemon, founder of the Ponemon Institute and author of the long-running Cost of a Data Breach report, up at night? In my recent conversation with him, he had a definitive answer: ransomware.

“Ransomware is a gateway to huge problems,” he said. “It starts small, but then it becomes insidious.”

Ponemon has spent over two decades studying the true impact of cyberattacks. His latest research, The Global Cost of Ransomware Study sponsored by Illumio, shows a troubling trend. Even as cybersecurity spending increases, attacks are growing more frequent, more costly — and harder to contain.

“We used to think prevention was the goal,” he told us. “But it’s not practical anymore. The focus now needs to be on how fast you can contain the damage.”

In this post, we’ll break down Ponemon’s key insights on why prevention has become a false promise, what’s changing in ransomware tactics, and how Zero Trust and strong leadership can help organizations stay resilient, even when the worst happens.

Cybersecurity’s prevention myth

Many organizations still invest in tools that promise to stop attacks. But that promise is often broken.

“We used to think prevention was the goal,” Ponemon said. “But it’s not practical anymore. The focus now needs to be on how fast you can contain the damage.”

His research backs that up. Even as spending increases, breaches are becoming more frequent and more expensive. “For every one threat we catch, there are probably 10 or 20 we don’t even know about until it’s too late,” he said.

AI is being used to generate phishing messages, create adaptive malware, and bypass defenses. What feels quiet now may be the calm before the storm.

The reality is that we can’t stop every breach. But we can contain them to reduce the damage they cause when they’re able to spread freely inside the network.  

We used to think prevention was the goal. But it’s not practical anymore. The focus now needs to be on how fast you can contain the damage.

Why breach containment matters now

Ponemon believes we haven’t yet seen the worst of ransomware. He warns that AI-powered attacks are on the rise, and the next wave could cost trillions.

In The Global Cost of Ransomware Study, Ponemon found:

• On average, 25% of critical systems go down during a ransomware attack and stay down for 12 hours.  
• It takes 132 hours to fully contain the attack, using both internal teams and external help.
• Over half of organizations paid the ransom, but only 13% recovered all their data.

“Boards and C-level executives need to understand that these are not just technical issues, they’re reputational and operational risks,” Ponemon said.

This reinforces a key point: the quicker you contain an attack, the better you can protect your operations and your reputation.

Zero Trust is ready for modern cybersecurity challenges

From Ponemon’s perspective, Zero Trust continues to be the best strategy for dealing with modern cyberattacks — but only if it’s implemented properly.

“Zero Trust, if implemented correctly, can be very effective,” Ponemon said. “But a lot of organizations think they have Zero Trust when they really don’t.”

He warns against treating it as a checkbox. Real Zero Trust limits lateral movement and helps contain attacks. But it also requires collaboration across teams and a leader who owns the outcome.

So how can organizations collaborate to prepare for the next attack? Ponemon recommends:

• Focusing on time to contain, not just prevention
• Assigning clear ownership of cyber resilience
• Training employees across the entire organization on ransomware tactics, especially social engineering
• Embracing Zero Trust as both a strategy and a mindset

Most of all, we need to shift our thinking. “It’s not about stopping everything,” he said. “It’s about staying standing when the worst happens.”

Want to hear my full discussion? Listen to this week’s episode on Apple Podcasts, Spotify, or wherever you get your podcasts. You can also read a full transcript of the episode.