Beyond Compliance: Penetration Testing, Red and Purple Teams: Continuous Assessment to Improve Security and Build Talent
Penetration Testing (Pen Testing) and the use of Red and Purple Teams are key strategies used to assess security and further ongoing improvements. Large, sophisticated organizations as well as smaller organizations need to use continuous testing strategies. These tests are critical to establishing and exercising business continuity operations across all functions, especially on the Information Technology side – building the “muscle memory” needed to respond effectively to serious threats. The objective of this effective practice field research was to examine three components important to strong cyber hygiene: Penetration Testing (Pen Testing), Red and Purple Teams. The findings are based on three focus groups with ACSC member organizations, more than a dozen in-depth interviews of member CISOs and three vendors, and a small sample survey.
Entry to the Continuous Assessment Maturity Model requires that three basic security fundamentals are in place first as a foundation: (1) Up-to-date essential system hygiene practices are a critical pre-condition to justifying the investment in assessments beyond what is required by regulators and third parties. That means: (a.) asset management practices are in place (b.) important systems are up to date for “patches” available from vendors and (c.) vulnerability scanning and remediation is practiced, with awareness of and plans for closing gaps in consistency and completeness; (2) Methods established for setting risk priorities, measuring results and progress; this could include standard framework/dashboard (e.g., NIST/CSF, CIS controls, internally customized dashboard); (3) An established Blue Team (either internal or outsourced) and security incident response plan that is routinely tested and updated with table top walk-throughs, continually monitoring and defending company networks systems. And assure Blue Teams have incorporated the latest tools before putting them into battle.
Collaborative Defense Cyber Incident Planning and Response: The Roles of Legal Counsels and Communications Executives at Sophisticated Organizations
As with the senior executive CISO role, dedicated counsels for cybersecurity and senior communications staff deeply engaged with cyber defense are new corporate developments in the last decade. Many organizations have only recently assigned significant cybersecurity legal responsibilities to one member of the counsel team, and have brought communications staff into incident planning and response as full partners. Cyber incident planning and response has been in some cases organized as a subset of existing emergency preparedness groups, which has led to additional challenges, especially the need to differentiate the distinct procedures, systems, and language for cyber preparedness from more traditional emergency practices.
Leveraging Board Governance for Cybersecurity: The CISO/CIO Perspective
In the current climate of increasingly sophisticated cyber attacks that can cripple business operations, expose sensitive data and negatively impact a company's reputation and market value, the mandate for corporate management teams and boards to adapt and improve its approach to cyber governance is becoming an imperative. Yet, in 2014, one third of North American firms did not have a Chief Information Security Officer, according to an annual survey by PWC, and the US government did not appoint its first Chief Information Security Officer until 2016. By 2018, many companies still don't have key roles related to cybersecurity, such as CISOs or chief security officers. These statistics, as well as our report on Collaborative Cyber Defense released last year, spurred the ACSC to more deeply investigate the current state of board engagement in cybersecurity.
Collaborative Cyber Defense: Barriers and Best Practices for Strengthening Cyber Defense by Collaborating Within and Across Organizations
With assistance from Mass Insight Global Partnerships, and in conjunction with research partner McKinsey & Company, researchers worked with ACSC members and other experts, to interview CISOs, CIOs, analysts, business leaders and others in a range of sectors to identify organizational models for efficient collaboration on common defense. Overall, the study found there is a strong correlation between collaboration and cyber security maturity however, most collaboration is informal and unstructured, which indicates potential opportunities for more structured activities and networks. But, significant gaps exist between more mature organizations and others, indicating potential for cross-fertilization of practices.