A question came up as we are ramping up our testing security and breach and attack simulation tools research projects. Just how motivated are organizations to test whether they have done a good job with security? Note that I think there is a subtle difference between:
- How secure are we?
- How good of a job we’ve done securing ourselves?
Imagine the following scenario: a CSO who spent years or even decades in the field gaining experience (notably, this does not mean that he is a good CSO…or a bad one – just an experienced one!) and then perhaps years defining and building security at his current employer. Suddenly, a feisty vendor shows up at his door and says: we can now objectively test how good of a job you’ve done! [for the sake of this argument, let’s assume they really can]
Would you agree that it takes copious amounts of intellectual honesty – even courage! – to say “yes, let’s test it!” For sure, a new CSO who inherited much of the security technology and many security policy decisions, may be inclined to say “yes” [at the very least, he can be motivated by his desire to prove his predecessor wrong and deploy all different controls :–)] However, a CSO who perhaps spent years growing his baby … eh … his security program… may be included to say “why test?! we know what we are doing here!”
Look, luck-based security is alive and well. Brainless compliance is alive and well (PCI DSS before, NIST CSF now; at some places who say “our security = our compliance + our hope for the best”). People’s cognitive biases are very much alive – and will always be alive.
Conclusion? If you show up with testing tools and/or methodologies, BE READY TO FIGHT!!
REMINDER: vendors who offer breach and attack (BAS) simulation tools, make sure to schedule the briefings with us soon, or be left in the footnotes of our report 🙂 Most of you have already done it, but some have not…
Related blog posts:
- Threat Simulation – How real does it have to be? (by Augusto)
- The Bane of All Security Tests: Acting on Results
- New Research: How to Actually Test Security?
- Threat Simulation Call to Action for 2018
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.