Is red teaming a better way to demonstrate security needs to the board than traditional compliance audits?

1.8k views1 Upvote7 Comments

CISO in Software, 51 - 200 employees
You can red team, but people are only red teaming once a year or once a quarter. Horizon3 does 24/7 red teaming. I've used it at my last few companies and it totally changed the work conversation. Now that I have this 24/7 red teaming going on, it's telling me where all my weak passwords are, what's not in the GPO, things I missed, things I can hack into, etc.

I get a report listing every hole in my environment. Then I’ll rank what I think is the most important and take it to the board to say, "Here are the actual problems that we have. Which ones do you think we should address first? Give me money so I can fix it." That totally changes the discussion from being theoretical to actual: "These are our real issues. Let's solve these problems."
3 4 Replies
Board Member, Former CIO in Software, 10,001+ employees

That's interesting. I hadn't seen them before. What are they doing that allows them to do this continuously? Do they have a panel of stuff that they're rotating through this? It's not just humans doing the work?

CISO in Software, 51 - 200 employees

It's their magical AI from all the U.S. Army Special Forces. Their AI engine just roams your environment through simple connectors and it catches all the holes.

VP - Head of Information Technology in Software, 1,001 - 5,000 employees

It’s like the Skynet red team. It starts with the red team and then next thing you know, the botnet is making the ransomware.

Board Member, Former CIO in Software, 10,001+ employees
We did a red team with all my companies. I'm so glad they did. It completely changed the mindset of the CIO. All of a sudden he was like, "Let's not spend any money on these stupid certifications because they're not doing anything." It was an over-pivot though, because you still need the certifications for certain things. You need them to be able to make promises about the quality of your infrastructure and the security that you have around it, but they don’t give you an idea of how effectively you are delivering on those promises. That's where red teaming comes in.

Actually, after they did the red team they didn't want to bring it to the audit committee because they didn't want the auditors to freak out. It's not that they didn’t want to talk about it ever, just not right then. By delaying it, they gave themselves a bit more time to work with the auditors to make sure that it didn't screw up the $10K, which highlights the fact that even the auditors are screwed up on this front. They don't know how to do risk assessment because the company finding its own dirty problems is a very healthy thing regardless of how dirty the problem is. It's way better for that to happen than for bad guys to find it.
CISO in Software, 201 - 500 employees
Not always, as usual security needs come from business, then risk assesment and last one is red teaming results and something like that. Most of organization that use red teaming already has some vision and strategy about IS, so this means that thay have thought abount needs, risks and so on. Red teaming and some pentesting is just additional measure to become more secure by identification of current weakneses. :)

Content you might like


We’re currently considering it51%

We’re currently developing one7%




CTO in Software, 201 - 500 employees
Without a doubt - Technical Debt! It's a ball and chain that creates an ever increasing drag on any organization, stifles innovation, and prevents transformation.
Read More Comments
44.9k views132 Upvotes322 Comments