Often used interchangeably, vulnerability assessments, penetration tests, and Red Team Engagements are three very different methods, each with its specific goals that set it apart from the others. This is where knowing the various types of testing methodologies and their benefits come in handy when determining what approach to take.
The contextual enrichment of internal personnel adds value to security testing because they know the intimate details and well-worn footpaths of their organization’s infrastructure.Īn external engagement that may require these teams to spend weeks or even months conducting assessments can be terribly expensive. Working through the various stages of a security incident while exposing personnel to common techniques, tactics, and procedures (TTPs) can initiate novice IT personnel into a meaningful role as supporting players of an organization’s security strategy.Īn in-house team that performs security testing, as well as monitors for potential breaches, can set it apart from an external third-party.
One example is Black Hills Information Security’s popular Incident Response card game “Backdoors & Breaches.” Scenario development and incident response training can be conducted using strategies that tie into the tabletop board game market. Hosting tabletop exercises and whiteboard sessions that give personnel a direct perspective into a threat agent’s methodologies can educate those who do not fully understand modern offensive capabilities for compromising networked information systems.Įven when expert guidance in operations that support information security goals is not available, there are activities that can assist less experienced personnel achieve these goals. Ultimately, however, deputizing IT personnel as the first line of defense on the cyber battlefield is not going to provide effective results overnight. It also keeps them involved with security efforts and creates a cost-effective solution for organizations when contending with operational risk. Supporting the idea that “every employee is on the Incident Response team,” extends the range of skills of existing IT personnel. This is a great opportunity to remind leadership what famed management consultant Peter Drucker once said, “If you think training is expensive, try ignorance.”Įspecially wise words when cybersecurity is the topic. However, resources may be stretched too thin as they are, so we need a viable solution.Īdequately training and empowering personnel with the skills necessary to assist in network defense can prevent that next big security incident. This is where the importance of detecting a security breach can compensate for anticipated failures of security controls. These post-breach effects will leave any corporate leader thinking that due diligence would have prevented the sudden collapse of the business.Įventually, even the most expensive security controls fail: Zero-Day exploits are utilized, misconfigured services are circumvented, and humans make mistakes. When executive leadership chooses a reactive security strategy as opposed to a proactive one, it is only a matter of time before a data breach occurs sometimes the breach results not only in big fines but also a decline in revenue due to clients’ loss of confidence. Attempts to justify the cost of an external team to conduct a rigorous assessment often fall on deaf managerial ears. Leadership’s desired strategic vision and the operational actuality of their production environments are often two very different things.īudgetary constraints are inarguably one of the greatest obstacles to sufficient assessments of the IT infrastructures organizations rely on to support their business. Achieving minimum standards of compliance has created a “good enough security” culture that leaves organizations exposed to risks that fall well outside what they are prepared to deal with. When it comes to regulatory compliance, some organizations do not get to choose whether or not they can hire a third-party to test their infrastructure.
The activities involved to ensure that our security policy is aligned with pragmatic, emerging threats can be accomplished by either internal security departments or by third-party teams. Staying one step ahead of threat actors by assessing the state of network security is definitely not a chore for the faint of heart. Pricing Out Cybersecurity: The Cost of Assurance Dan Williams wrote this amazing piece on Network Security Assurance in CyberDefense Weekly.
0 kommentar(er)
