At the RSA Conference in San Francisco, on February 15, 2017, an expert panel of senior executives discussed strategies and practical approaches to maximizing cyber testing programs and getting away from “hamster wheel” status quo practices. Read More >>
The panel:
- Wendy Frank, Principal, PwC, Moderator
- Diana Kelley, Global Executive Security Advisor, IBM Corporation
- Lisa Lee, IT Examiner, Office of the Comptroller of the Currency
- Latha Maripuri, SVP and Global CISO, News Corp
Frank: What trends do you see happening in security testing?
Maripuri: There is an interesting shift going on. Traditional testing like vulnerability management and pen testing is getting commoditized by many tools and service providers, who focus on finding breaches. The dialogue is shifting to detect and respond. Have we realigned testing programs accordingly? Are we testing our people? Our processes? Do you get a false sense of security from testing and finding problems, when things often don’t get fixed? Are you tracking what does? If it’s too expensive to fix, what happens to those results? Traditional testing methods also don’t translate well to the cloud.
Lee: Do you understand the threat against your organization? What’s driving you to do the test? Weight the level of effort against the impact.
Kelley: Understand the tools to get the needed value out of them. Don’t put too much power into those tests. If you get a stack of problems, how are you going to prioritize and apply fixes?
Lee: Other value can come out of testing, like red teaming. It’s a good a way to train your incidence response team.
Maripuri: Phishing is an easy email to send to your employees, but there’s huge value in raising awareness. Bug Bounty programs take a bit more effort, but crowd sourcing can help you get to the next level.
Kelley: Focus on the impact to the executives. A phishing test is something a CEO will see. It provides “high visual yield”. It will help executives understand what your program is doing and see the success.
Frank: What about the maturity model of testing?
Kelley: First, understand your organization’s maturity and readiness, deploy in a useful manner and get some success, then expand. Don’t try to go to Level 6 maturity right away. Start small, with a small group. Find a high visibility app to get some success and confidence. See the blemishes early and fix them.
Lee: Doing the same thing more often doesn’t really increase value. Rethink the scope and frequency that might just be assumed to add value.
Maripuri: It’s not natural for developers to think about maturity models, but it’s very important. Looking at where you are and where you want to get to can be very helpful. We’ve started aligning our testing to our incident management process. Scanning our servers is good, but we found most errors were coming from the employee base. How do we automate and integrate more? Make testing part of the fabric of how you do services.
Read more here