Page 135 - CDM-CYBER-DEFENSE-eMAGAZINE-December-2018
P. 135

A CISOs ‘playbook’: Practice How You Fight


            by David ‘Moose’ Wolpoff, CTO and co-founder, Randori





            Despite CISOs and organizations making huge investments in security – with more tools and solutions
            on the market than ever before – high-impact and high-profile breaches continue to fill headlines every
                                                                                             27
            day. By 2020, organizations will spend more than $124 billion globally on security , but more money
            alone cannot and will not fix the issues we face. To do that will require a shift in perspective, away from
            the false belief that it is ever possible to stop every attack and fix every gap, and instead towards one
            grounded in practice and readiness.

            For 14 years, companies and government agencies have paid me to hack into their networks. During this
            time, despite advances in technology, the basic ways attackers get in to these organizations has not
            changed much, with phishing, malware and basic exploits remaining the most common attack methods.
            The question should be asked, why do we continue to fall victim to these same basic attacks?


            The problem as I see it, is that while we have thrown more money at security, most organizations continue
            to lack the dedication needed to address the fundamental knowledge gaps and process failures attackers
            rely  and  count  on  to  succeed.  Instead,  organizations  continue  to  reward  and  encourage  those  with
            defender mindsets. Because of this, it is far often easier for CISOs to purchase another tool than it is to
            invest in training or change long-held IT processes and procedures that could really move the needle.
            What’s required is a shift in focus. Organizations need to adopt an attacker’s mindset. While not always
            easy, making this shift could not be more essential.


            To adopt an attacker’s mindset is to align with the old adage, “know your enemy.” Instead of focusing on
            building more defenses, enterprises that take an attacker’s mindset focus on understanding the way
            hackers think, how they make decisions, and the techniques and procedures adversaries use to break
            into  their  environments.  My  experience  has  shown  that  these  companies  generally  have  a  better
            understanding of the true risks they face and are better able to identify where they are most vulnerable.

            27  Gartner






                                 135
   130   131   132   133   134   135   136   137   138   139   140