Executive Vice President, Pen Testing, at Coalfire.
getty
Since the mid-'90s, traditional security focused on identifying vulnerabilities, testing network perimeters and defending data centers. Then the cloud dominated the world.
An exploding attack surface has forced a new paradigm in cyber best practices, where security teams embrace a real-world, threat-informed defense (TID) in favor of the fortress mentality of the past. TID means prioritizing resources toward the most opportunistic and relevant vulnerabilities to a company’s profile, then taking traditional defensive measures like patching, fixing misconfigurations and deploying cyber safeguards to build business resiliency.
As network perimeters continue to disintegrate in today’s complex, hybrid computing environments, it’s become impractical to defend against every known and unknown threat. The best defense is now a better offense.
The Coming Of Age Of Offensive Security
Announced earlier this year, the Biden-Harris Administration’s long-term National Cybersecurity Strategy reflects this new emphasis on offensive security capabilities that will hold government contractors, software developers and critical infrastructure players to higher standards. As a result, organizations are accelerating their adoption of offensive strategies defined by programmatic adversary emulation and scenario-based penetration testing.
The real-time integration and deployment of secure code in the cloud now permeate the modern corporate culture, instilling an attack surface management (ASM) and continuous testing mindset with every developer, manager and marketer.
This holistic approach expands from product development to the supply chain and throughout the customer experience, and must now evolve to accommodate the trend toward edge computing architectures. Out-of-the-cloud, distributed computing is going to reduce bandwidth by getting users closer to applications and data sources, and cybersecurity teams must adjust.
Going on offense with state-of-the-art testing and remediation is one way to tame the bad actors who are penetrating the multicloud like rainwater on an old sidewalk, starting with the biggest cracks and then soaking into every point of weakness.
On top of managing more risk and struggling to adapt to new business realities, the board and C-suite may be losing patience with CISOs and questioning the value of security budgets that fail to produce results.
Cost Control Strategies
The paradigm shift toward offensive security is upon us. There are many pain points along this journey, but executive leaders can elevate their security oversight skills by connecting cyber performance to three management maxims.
• Scale: Keep up with the growing attack surface.
• Value: Mitigate and contextualize risks.
• Efficiency: Optimize teams and processes by doing more with less.
These three strategic objectives set today’s mission-critical, intelligence-driven cyber priorities: offensive security layered across application development, product lifecycle and compliance. Primary use cases that shape modern enterprise vulnerability management programs include:
• Application Security: The continuous integration and deployment of DevSecOps involve application penetration testing, threat modeling and code review from the start of every software development program. Embedding these elements within your secure product lifecycles can have development teams "coding with confidence."
• Offensive Security: A threat-informed approach highlights scenario-driven adversary emulation. Key tactics include enterprise penetration testing and "red teaming," where one group plays the role of adversary to reveal vulnerabilities from an attacker’s perspective, while security operations teams take lessons learned to tweak detection and response playbooks.
• Compliance Security: Move from the mindset of "must" to "meaningful," as these required pen testing activities are increasingly part of opening up new markets for business as they relate to FedRAMP, PCI and new FDA medical device requirements. Continuous vulnerability assessments and pen testing unique requirements across compliance frameworks are today’s table stakes for operating a growing business.
Aligning Investments
In the same spirit that the best defense is a better offense, cyber leaders are moving from traditional fear, uncertainty and doubt (FUD) to a "return on security investment" (ROSI) mindset. Here are the top three security cost-control strategies being employed by the world’s largest companies and cloud service providers.
1. Stop identifying more issues and start fixing them.
Spending too much time searching for and identifying problems, as opposed to reviewing the accuracy of detection monitoring and attempting to fix them all, is unproductive.
The key is to aggregate and contextualize this data through automation. This can help with data-driven decisions.
2. Shift your investments.
Shift left and develop secure code by design via embedding controls in the product lifecycle and supply chain.
Minimize your digital footprint by reviewing software usage and license fees, and then lock down or remove existing software that is not driving business value.
Consolidate vendors, tools and audits as opportunities arise to maximize internal resources on high-value initiatives.
3. Stop hiring and start doing more with less.
This is the age of specialization—hire and retain leaders who know how to allocate resources to reduce, or, better yet, eliminate tech debt.
Be it people, processes or technologies, be aware of what your teams excel at and leverage partners for the rest. Big tech layoffs have left a lot of high-salary talent looking for work. Know your near- and mid-term human capital talent strategy for how you plan to execute current projects.
Long-Term Digital Strategy
Regulatory compliance remains the traditional legal means of enforcing security controls. Yet, the stage is set for more adversarial intelligence to drive threat-informed defensive security programs within managed cloud ecosystems.
With timely direction from the White House, America’s next-generation offensive security strategy is designed to deliver safety and security for everyone around the world, and to reflect the values of economic freedom and cultural inclusion. With an emphasis on offensive testing in defense of federal networks, our nation’s new cloud security guard rails will direct corporate cyber operations well into the next decade.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
