Security News > 2022 > January > Being “Threat-Led” is the answer. Your ISO certificate won’t save you from a breach!

Another CISO walks into a board meeting and muddles through stats showing their compliance status.

In the classic risk management equation of Risk = Threat x Vulnerability, I have no control over the threat actor's motivation, skill, or resources.

CISOs should measure security based on their ability to discover if they've been breached, using meaningful metrics like mean time to breach when testing security, or the mean time to detect threats.

Red teams test technology, people, and processes-probing for blind spots and finding unorthodox ways to breach you.

This is exactly how a capable threat actor would operate! This gives invaluable data on what has fallen through the cracks, so CISOs can prioritise accordingly and reduce the average time to detect a breach.

In today's dynamic threat environment, plans may need to change mid-year, so it's crucial that the board understands the risks they are accepting by choosing not to invest.

News URL

https://go.theregister.com/feed/www.theregister.com/2022/01/20/security_compliance_issues/