Red teaming can be the ground truth for CISOs and execs

This year, against the backdrop of attacks on everyone from healthcare institutions and schools to financial services organizations, as well as the introduction of legislation across the UK and EU to move security up the agenda, cybersecurity has undoubtedly become more of a priority for boards.

red teams responsibility

As these breaches continue to make headlines, the time is now for boardroom executives to take on the responsibility of setting the tone for cybersecurity across the company. After all, instilling priorities at the board level and having that message trickle down across the company is a key tenet of business success.

But is cybersecurity treated differently? Some would argue that while cyber is certainly a priority in boardroom discussions, execs have still yet to take full responsibility for their security posture and often silo this to SecOps teams or their CISO. Given the potential for ransomware to destabilize operations, finances, and reputation, more execs should put cybersecurity front and center on the agenda. Perhaps they would if they understood the truth of what they were looking at.

Why isn’t the board on-board?

While organizations around the world continue their journey to cyber-maturity, companies that don’t engage with the boardroom directly on cybersecurity are opening the door to serious risk in the future. This lack of engagement can be due to several variables, including lack of strong board cybersecurity expertise/experience, or simply an underestimation of risk. CISOs, whether they are in that boardroom or not, will recognize that this must change, and that change can only come from clearer communication of risk.

If you want the board to take more of an interest in cybersecurity or fully grasp the risk of not making it a priority for the company, then you need to speak to their level of risk. They want the ground truth, spoken to them in a way they understand and cuts through the technical jargon. How will the consequences of not doing this affect their bottom line? How will a ransomware attack affect their reputation? Why is this a priority right now?

The CISOs among us may feel like they’ve been trying to have this conversation to no avail, but the risk of getting lost in translation is far too high. To engage the board, you need to clearly demonstrate the direct link between what happens if a hacker finds a vulnerability in your network and how badly things can go wrong as a result. If you speak a truth that they understand, you’ll unlock the trust, transparency and cooperation that is needed to give cybersecurity the attention it deserves at all levels of the business. Red teams can help you achieve this.

Red teams and “offensive security”

What red teams can give CISOs is the cold, hard truth of how their network stacks up against threats that could be ruinous to the business. Red teams leave no stone unturned and pull on every thread until it unravels. This shines light on the vulnerabilities that will harm the finances or reputation of the business.

With a red team, objective-based continuous penetration testing (led by experts that know attackers’ best tricks) can relentlessly scrutinize the attack surface to explore every avenue that could lead to a breakthrough. This proactive, “offensive security” approach will give a business the most comprehensive picture of their attack surface that money can buy, mapping out every possibility available to an attacker and how it can be remediated.

It is also not limited to testing the technology stack; for businesses concerned that their employees are susceptible to social engineering attacks, red teams can emulate social engineering scenarios as part of their testing. A stringent social engineering assessment program should not be overlooked in favor of only scrutinizing weaknesses in IT infrastructure. Cybersecurity is a human problem that needs humans to create a solution, using the available technology.

Get the facts, earn their trust

For CISOs, the evidence from red teams gives the who, what, when and how of how their attack surface stands up to scrutiny, with none of the negative consequences of a malicious breach. This is the evidence they can take to the board and confidently state the case for cybersecurity to be taken seriously at the exec level and gain the trust they need to put their best foot forward against ransomware.

For the board, they will simultaneously see the big picture of threats to their attack surface, but also be presented with a plan for remediation. They can trust the IT team that everything is being done to resolve vulnerabilities before it can affect the business. And because red teams have the knowledge to accurately gauge how urgent of a risk each vulnerability is, the presentation can zero-in on what needs to be done immediately, keeping these discussions succinct and solutions focused.

Once that trust has been built, red teams make it easy for the board to stay updated on cybersecurity. Continuous penetration testing persists even after vulnerabilities are remediated to make sure that the problem is truly fixed. This means cybersecurity always has its place on the agenda and there is transparency between CISOs and execs on how the organization is proactively looking to patch vulnerabilities, before an attacker knows they exists.

If an organization’s cybersecurity is not receiving the attention it deserves, then the board needs to know. However, it can be hard to get engagement from the wxecs if the information security team don’t speak “board language”. By deploying the expertise of a red team, you’ll have the facts you need to cut to the heart of what these decision-makers really care about with hard evidence of the risks they are facing, unlocking the support from the top needed to keep the entire business secure.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss