Threat-Informed Cybersecurity: Are You Ready and Resilient? Part I
By Chris Clements, Vice President of Solutions Architecture, CISO Global, Inc.
Long popular in the military, “readiness and resiliency” is a staple of cybersecurity, too.
It makes sense.
Both institutions value (1) being alert to threats and risks while (2) recognizing that the types of threats and risks themselves are less important than the reaction to them.
But how companies PERCEIVE risk is often very different from how they TAKE ON risks.
Over 90% of my penetration tests have concluded with successful entry into “secure” environments. But does that usually faze their IT departments when I deliver my report? No.
It often doesn’t. And that’s weird, right? It’s like they should be in shock, but, bizarrely, they aren’t.
Their threat-informed awareness often falls so far short…that organizations can’t see how ineffective their security controls were, despite having proof. Which means they can’t build effective security controls, either, even when shown how.
When a company compromised in a cyberattack makes the news, was it really because they didn’t have a firewall or antivirus in place?
Based on every cybersecurity vendor presentation I’ve seen in the last twenty years — on that obligatory slide that details how much more damage happened year over year, which is always followed by a slide that claims this vendor’s “silver bullet” will solve the problem — the answer is yes.
But it can’t be yes, can it? Because the problem is still here, year after year. What’s missing?
What’s missing in almost all successful attacks?
Readiness and resiliency are missing.
You can’t have those two things without a culture of cybersecurity, and you can’t have a culture of cybersecurity without threat-informed awareness. That’s very different from annual simulated phishing attacks. Being threat-informed is a different approach to all the activities you may be doing. It means that every time you get a pen test, that test will include simulations of the most recent hack trends, specific to your industry and context. That means no more canned pen tests. It means whoever is providing your MDR, SIEM, threat hunting, and response is continuously updating their methodology with new attacks.
If your cybersecurity layers are not continuously threat informed, you may be protecting yourself from old attack types, but remain vulnerable to the latest threats. So, it’s key to build this concept into your program at every level.
And that’s what a well-built cybersecurity team (or outsourced provider) brings to the table:
- Top talent who know how to conduct and leverage ongoing dark web and threat research to continuously expand and evolve your security awareness and compliance programs
- Risk assessments that review your controls specifically for protections against the latest threats, in addition to the standard requirements
- Periodic reviews of recent changes to your business model, examining what new cyber threats you may have inadvertently created
- Penetration tests that reveal both deficiencies AND sufficiencies
Next week, we will look at what kinds of changes you will want to implement to make your security program more “threat informed”, or what you should be requiring of your outsourced providers.
Want to learn more about the steps you need to take to make your company ready and resilient? Let’s talk. Contact CISO Global, Inc. today.