Continuous assurance vital in cybersecurity landscape
Continuous identification and prioritisation of vulnerabilities emphasised for effective defence.
The importance of continuous assurance in cybersecurity is becoming increasingly vital as the nature of the threat landscape requires a proactive and continuous approach to remain secure, according to Scott Flower, co-founder and director of CI-ISAC.
"The reason it's so important is that the actual threat landscape is changing all of the time," Flower said. He noted that without a continuous assurance program focused on vulnerability identification, organisations are perpetually at risk, constantly "chasing their tails" in an attempt to stay ahead of attackers.
Traditional penetration testing, when conducted sporadically, fails to offer sufficient protection. "If you've got just pen testing as a once-off activity, the threat actors don't stop between the pen tests," Flower explained. Continuous vulnerability testing and searching, therefore, are key components of a positive, proactive security posture.
When asked about the possibility of optimising testing practices without compromising security, Flower was sceptical about finding a perfect balance. "The mix will change depending on the threat landscape and also the types of products and services technology that your actual business is using," he stated.
Budget considerations play a critical role in maintaining a continuous assurance strategy. Ensuring that budgets align with the most efficient and effective outcomes is essential, as is the integration of threat intelligence into vulnerability management.
"Being threat-led... making sure that the prioritisation of the remediation of those vulnerabilities is done in an evidence-based way based on the threat that you're facing," Flower emphasised.
In terms of cost optimization, cybersecurity leaders continually face pressure to minimise expenses while maximising security effectiveness. Flower advises that decision-making around cybersecurity investments should be informed and threat-led to avoid wasting resources on irrelevant or low-priority risks.
"Your decision-making process around what technologies, what vulnerability assessment, and process you are using for vulnerability management as well, should be threat-led and informed," he said.
Commentary
Only the agile will win across ASEAN’s evolving markets
Scaling for resilience: What Asia Pacific’s bioenergy markets can learn from each other
Asia is leading payments modernisation and banks can't afford to fall behind
To outsmart modern fraud, we must first know the enemy
Why Western firms keep misreading the Chinese and Korean trust architecture
Platinum cards, paper-thin compliance?
How Asian enterprises can deliver modern, data-driven HR on time and on budget
Why high turnover persists in hospitality, and what’s changing
Energy price volatility highlights structural gaps for managing FX risk in APAC
When ESG enters the Asian boardroom: What real estate and infrastructure leaders must get right