Is red teaming a better way to demonstrate security needs to the board than traditional compliance audits?
Sort by:
Not always, as usual security needs come from business, then risk assesment and last one is red teaming results and something like that. Most of organization that use red teaming already has some vision and strategy about IS, so this means that thay have thought abount needs, risks and so on. Red teaming and some pentesting is just additional measure to become more secure by identification of current weakneses. :)
We did a red team with all my companies. I'm so glad they did. It completely changed the mindset of the CIO. All of a sudden he was like, "Let's not spend any money on these stupid certifications because they're not doing anything." It was an over-pivot though, because you still need the certifications for certain things. You need them to be able to make promises about the quality of your infrastructure and the security that you have around it, but they don’t give you an idea of how effectively you are delivering on those promises. That's where red teaming comes in.
Actually, after they did the red team they didn't want to bring it to the audit committee because they didn't want the auditors to freak out. It's not that they didn’t want to talk about it ever, just not right then. By delaying it, they gave themselves a bit more time to work with the auditors to make sure that it didn't screw up the $10K, which highlights the fact that even the auditors are screwed up on this front. They don't know how to do risk assessment because the company finding its own dirty problems is a very healthy thing regardless of how dirty the problem is. It's way better for that to happen than for bad guys to find it.
You can red team, but people are only red teaming once a year or once a quarter. Horizon3 does 24/7 red teaming. I've used it at my last few companies and it totally changed the work conversation. Now that I have this 24/7 red teaming going on, it's telling me where all my weak passwords are, what's not in the GPO, things I missed, things I can hack into, etc.
I get a report listing every hole in my environment. Then I’ll rank what I think is the most important and take it to the board to say, "Here are the actual problems that we have. Which ones do you think we should address first? Give me money so I can fix it." That totally changes the discussion from being theoretical to actual: "These are our real issues. Let's solve these problems."
That's interesting. I hadn't seen them before. What are they doing that allows them to do this continuously? Do they have a panel of stuff that they're rotating through this? It's not just humans doing the work?
It's their magical AI from all the U.S. Army Special Forces. Their AI engine just roams your environment through simple connectors and it catches all the holes.
help organizations stay ahead of inspection cycles, avoid penalties, and foster trust among customers and partners.