When it Comes to Security, What You’ve Accomplished Means Very Little
There are all kinds of leaders in this world. Whether they are political or business leaders, educators or coaches, one common trait the cream of the crop share is a willingness to challenge the status quo and take risks in order to find a better way of doing things.
These outstanding leaders do not surround themselves with yes-men. We are all familiar with the term, the inner circle more concerned with personal positioning than company success. The ones who will enthusiastically agree with the boss no matter what the issue is in an effort to curry favor, even when they vehemently disagree with a course of action. While this crowd will certainly boost your ego, they will not boost the long-term success of you and your organization. You need people who are honest with you, unafraid to call you out when you’re making a mistake or deliver the tough message when it’s needed.
In the same way that it’s wise to surround yourself with those who hold you accountable, your security infrastructure should also be tested. It’s not enough just to build up your defensive security measures – you have to actively challenge their effectiveness. Many of our customers rely on penetration testing to fill this function. By scheduling these tests at regular intervals, they force themselves to take an honest and critical look at their security program.
It’s a common misconception that the goal of a penetration test is merely to identify vulnerabilities and report them so they can be addressed. In fact, when performed correctly, these test are also a validation that the various parts of the IT and IS organizations have done what they said they would do. It makes them ask tough questions of themselves such as: are the right controls in place? Are they working the way they’re supposed to? Will they still be in place two weeks from now?
Unfortunately, I’ve noticed a “yes-man” mentality creeping into the otherwise brutally honest world of pen testing.
More and more organizations are being required to carry out pen tests for compliance purposes, and many of these organizations are setting up parameters for the tests that they know they will be able to pass so they can “check the box” with minimal effort and strife. This may be enough for you to achieve compliance, but compliance should be the floor, not the ceiling. Testing yourself only in areas where you know you’re strong will not produce any actionable information or make your organization any more secure.
Compliance guidelines may only require you to run some basic network pen tests, but will that significantly improve your security posture? The reality is that attackers can and will pivot from one vector to another, and an effective pen test should do the same. In order to be successful and realize the full value of your security investments, you have to think like an attacker and try all the different methods and tricks a real attacker would use.
It’s never pleasant to be critical of yourself or a dedicated team that is working hard on your behalf, but if you are going to be successful, that is exactly what you have to do.
As a whole, the professionals who enter the world of info security are highly intelligent and highly motivated. The excitement of having to stay one step ahead of the attacker is often the primary motivation they got into the field in the first place. Regulations that you must comply with may change every couple of years, but the attackers are updating their approaches every day. Building a truly outstanding security program and holding yourself and your team accountable will keep your stakeholders safe and your team engaged.
Unfortunately, when it comes to security, what you’ve accomplished means very little. It’s all about where the vulnerabilities still exist. The leaders of truly secure organizations don’t sit around and congratulate themselves on a job well done, they put people and procedures in place who will keep them accountable and never stop striving for excellence.