On Negative Pressure or Why NOT Objectively Test Security?

A question came up as we are ramping up our testing security and breach and attack simulation tools research projects. Just how motivated are organizations to test whether they have done a good job with security? Note that I think there is a subtle difference between:

  1. How secure are we?
  2. How good of a job we’ve done securing ourselves?

Imagine the following scenario: a CSO who spent years or even decades in the field gaining experience (notably, this does not mean that he is a good CSO…or a bad one – just an experienced one!) and then perhaps years defining and building security at his current employer. Suddenly, a feisty vendor shows up at his door and says: we can now objectively test how good of a job you’ve done! [for the sake of this argument, let’s assume they really can]

Would you agree that it takes copious amounts of intellectual honesty – even courage! – to say “yes, let’s test it!” For sure, a new CSO who inherited much of the security technology and many security policy decisions, may be inclined to say “yes” [at the very least, he can be motivated by his desire to prove his predecessor wrong and deploy all different controls :–)] However, a CSO who perhaps spent years growing his baby … eh … his security program… may be included to say “why test?! we know what we are doing here!”

Look, luck-based security is alive and well. Brainless compliance is alive and well (PCI DSS before, NIST CSF now; at some places who say “our security = our compliance + our hope for the best”). People’s cognitive biases are very much alive – and will always be alive.

Conclusion? If you show up with testing tools and/or methodologies, BE READY TO FIGHT!!

REMINDER: vendors who offer breach and attack (BAS) simulation tools, make sure to schedule the briefings with us soon, or be left in the footnotes of our report :-) Most of you have already done it, but some have not…

Related blog posts:

*** This is a Security Bloggers Network syndicated blog from Anton Chuvakin authored by Anton Chuvakin. Read the original post at: https://blogs.gartner.com/anton-chuvakin/2018/01/22/on-negative-pressure-or-why-not-objectively-test-security/