Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Management & Strategy

A Key Step to Improving Network Security: Challenge the Status Quo

When it Comes to Security, What You’ve Accomplished Means Very Little

When it Comes to Security, What You’ve Accomplished Means Very Little

There are all kinds of leaders in this world. Whether they are political or business leaders, educators or coaches, one common trait the cream of the crop share is a willingness to challenge the status quo and take risks in order to find a better way of doing things.

These outstanding leaders do not surround themselves with yes-men. We are all familiar with the term, the inner circle more concerned with personal positioning than company success. The ones who will enthusiastically agree with the boss no matter what the issue is in an effort to curry favor, even when they vehemently disagree with a course of action. While this crowd will certainly boost your ego, they will not boost the long-term success of you and your organization. You need people who are honest with you, unafraid to call you out when you’re making a mistake or deliver the tough message when it’s needed.

In the same way that it’s wise to surround yourself with those who hold you accountable, your security infrastructure should also be tested. It’s not enough just to build up your defensive security measures – you have to actively challenge their effectiveness. Many of our customers rely on penetration testing to fill this function. By scheduling these tests at regular intervals, they force themselves to take an honest and critical look at their security program.

Vulnerability Testing ChallengesIt’s a common misconception that the goal of a penetration test is merely to identify vulnerabilities and report them so they can be addressed. In fact, when performed correctly, these test are also a validation that the various parts of the IT and IS organizations have done what they said they would do. It makes them ask tough questions of themselves such as: are the right controls in place? Are they working the way they’re supposed to? Will they still be in place two weeks from now?

Unfortunately, I’ve noticed a “yes-man” mentality creeping into the otherwise brutally honest world of pen testing.

More and more organizations are being required to carry out pen tests for compliance purposes, and many of these organizations are setting up parameters for the tests that they know they will be able to pass so they can “check the box” with minimal effort and strife. This may be enough for you to achieve compliance, but compliance should be the floor, not the ceiling. Testing yourself only in areas where you know you’re strong will not produce any actionable information or make your organization any more secure.

Compliance guidelines may only require you to run some basic network pen tests, but will that significantly improve your security posture? The reality is that attackers can and will pivot from one vector to another, and an effective pen test should do the same. In order to be successful and realize the full value of your security investments, you have to think like an attacker and try all the different methods and tricks a real attacker would use.

It’s never pleasant to be critical of yourself or a dedicated team that is working hard on your behalf, but if you are going to be successful, that is exactly what you have to do.

Advertisement. Scroll to continue reading.

As a whole, the professionals who enter the world of info security are highly intelligent and highly motivated. The excitement of having to stay one step ahead of the attacker is often the primary motivation they got into the field in the first place. Regulations that you must comply with may change every couple of years, but the attackers are updating their approaches every day. Building a truly outstanding security program and holding yourself and your team accountable will keep your stakeholders safe and your team engaged.

Unfortunately, when it comes to security, what you’ve accomplished means very little. It’s all about where the vulnerabilities still exist. The leaders of truly secure organizations don’t sit around and congratulate themselves on a job well done, they put people and procedures in place who will keep them accountable and never stop striving for excellence.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...