Is red teaming a better way to demonstrate security needs to the board than traditional compliance audits?
Board Member, Former CIO in Software, 10,001+ employees
We did a red team with all my companies. I'm so glad they did. It completely changed the mindset of the CIO. All of a sudden he was like, "Let's not spend any money on these stupid certifications because they're not doing anything." It was an over-pivot though, because you still need the certifications for certain things. You need them to be able to make promises about the quality of your infrastructure and the security that you have around it, but they don’t give you an idea of how effectively you are delivering on those promises. That's where red teaming comes in.Actually, after they did the red team they didn't want to bring it to the audit committee because they didn't want the auditors to freak out. It's not that they didn’t want to talk about it ever, just not right then. By delaying it, they gave themselves a bit more time to work with the auditors to make sure that it didn't screw up the $10K, which highlights the fact that even the auditors are screwed up on this front. They don't know how to do risk assessment because the company finding its own dirty problems is a very healthy thing regardless of how dirty the problem is. It's way better for that to happen than for bad guys to find it.
CISO in Software, 201 - 500 employees
Not always, as usual security needs come from business, then risk assesment and last one is red teaming results and something like that. Most of organization that use red teaming already has some vision and strategy about IS, so this means that thay have thought abount needs, risks and so on. Red teaming and some pentesting is just additional measure to become more secure by identification of current weakneses. :)Content you might like
Yes31%
We’re currently considering it51%
We’re currently developing one7%
No10%
177 PARTICIPANTS
Head of Information Security in Services (non-Government), 1,001 - 5,000 employees
You need to tell people what to expect and what not to expect from IT. We’ve tried to train people to expect that IT will do certain things or make requests which are okay to comply with, but IT will never call you out of ...read moreCTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.Head of Information Security in Services (non-Government), 1,001 - 5,000 employees
It depends on how good the solution is at addressing your security needs. I lean towards simplifying the security stack, but in some cases existing solutions just don't provide the level of security that you need. If ...read moreIncreased55%
Decreased25%
No change20%
249 PARTICIPANTS
I get a report listing every hole in my environment. Then I’ll rank what I think is the most important and take it to the board to say, "Here are the actual problems that we have. Which ones do you think we should address first? Give me money so I can fix it." That totally changes the discussion from being theoretical to actual: "These are our real issues. Let's solve these problems."
That's interesting. I hadn't seen them before. What are they doing that allows them to do this continuously? Do they have a panel of stuff that they're rotating through this? It's not just humans doing the work?
It's their magical AI from all the U.S. Army Special Forces. Their AI engine just roams your environment through simple connectors and it catches all the holes.
It’s like the Skynet red team. It starts with the red team and then next thing you know, the botnet is making the ransomware.