“Just because you're paranoid doesn't mean they aren't after you.”
Joseph Heller penned that in Catch-22. It captures the challenge of many security leaders today. In a profession that breeds paranoia, we need to worry less about how paranoid we are and ask ourselves, “How productive is our paranoia?”
A few months ago, I talked with Mokady about the need to "sprint before getting forced to scramble." During that conversation, I asked if he saw a trend in the security leaders advancing their positions. Without hesitation, he explained that the leaders embracing red teams had a deeper understanding and were demonstrating more success.
I asked him to expand a bit. Here’s his security slap shot:
Security leaders must be 'productively paranoid'
Successful business leaders understand the power of disruption as a pathway to anticipating unstated future customer needs. The concept of disruption as a force for innovation is powerful in the field of cybersecurity and often pushes business leaders to problem solve in new or unexpected ways. Proactively simulating attacks on your own organization is an excellent example.
With now-broad acceptance that attackers will get in and that compromise is expected, there are distinct advantages to being “productively paranoid.”
Security leaders who are productively paranoid fully embrace the idea that the best way to play defense is to start playing offense. This doesn’t mean companies should “attack back,” but they need to understand the mindset and pathways attackers take to infiltrate organizations. This is why CyberArk encourages customers to consider the benefits of conducting red team exercises.
Attackers are continually honing their skills and looking for new vulnerabilities to exploit. Security teams must have an equally agile approach — with the ability to confidently identify weak spots before the attackers do — and mitigate associated risks.
Effective risk management becomes harder as enterprises embrace cloud and DevOps strategies, which can expand the attack surface and create new blind spots. Red team exercises are designed to simulate a real-world adversary and test the security operations team’s ability to respond to advanced threats. By conducting red team exercises, enterprises can test their ability to detect and protect against known and unknown threats, find their most vulnerable points, and better understand what steps attackers may take during the phases of the attack.
Whether conducted by internal teams or by external groups, it’s important for business leaders to remember that red team exercises don’t result in a pass or fail grade. Attackers will always find a way in, and organizations should take an “assume breach” approach in their security posture. With the current threat environment, CEOs and boards will increasing ask if this sort of proactive testing and threat simulation is happening. With red teaming, organizations can do more than demonstrate that they are checking boxes; they are demonstrating a quantifiable commitment to risk management that puts security first.
My analysis (color commentary)
I want to amplify a key point: Proper testing is not pass or fail. I see a lot of security leaders get the required test to satisfy a requirement. Or they use it as a way to demonstrate a need for something. While those might be important, testing is a way to better understand what is likely to happen. Proper testing — embracing a red team, for example — is a great to clarify your focus and prioritize your effort on what is going to make the most difference.
The more we understand the reality of attackers, the better our ability to defend. And sometimes that means building in the right resilience. I’m not worried about a breach, per se. I’m more interested in how quickly you detect a breach and how rapidly you respond appropriately. Embracing your red team efforts might just give you an edge.
Your turn — react
How do you feel about red teams? Are you getting the most of your red team efforts?
Take it to Twitter and engage with me (@catalyst) to let me know what you think.
Ready, set, react!
Cyber security is a key concern for organisations of all sizes. Protecting devices, networks, data and apps is an essential component of doing business. Vodafone provides security products and services to businesses of all sizes, helping you secure your business anywhere because we are everywhere. We are trusted by organisations globally, including utilities, financial institutions and government agencies. For more cyber security insights, you can find us on Twitter and LinkedIn.