Improved resilience a shared target in cybersecurity
Defensive and client perspectives might share a significant gap, but they both share a common purpose.
While both offensive and defensive security teams offer unique roles to the organisation, protecting the organisation is still the common objective that these two work to attain, Nick McKenzie, Chief Information Security Officer at Bugcrowd said.
In an interview during the Australian Cyber Conference in Melbourne, McKenzie explained that the two opposing team’s common objective is to make sure that the overall control and the health and resilience of an organisation is uplifted.
“One objective of the offensive security team is to actively go out and hunt and find weaknesses. And then you have more of a defensive team, which is to monitor that activity,” he said, “So even though they might have polar opposite objectives, just by looking at their actual core objectives at the top of the house are the same, which is to protect the organisation.”
McKenzie emphasised the importance of organisations investing in understanding their unique cyber landscape, rather than applying generic templates as each of them has its own unique risk and threat profile.
He explained that factors like IT assets, industry domain, employee behaviour, and third-party relationships all influence this profile.
“So each company's unique, you can't just cookie cutter a template and apply a band aid for every single organisation,” he said.
McKenzie suggested that each organisation must do an assessment of what their profile looks like, and identify the threat actors, the risks, audits, and issues and put it into a mixing pot to come out with a risk based objective assessment of their company's profile, or an action plan.
“That action plan will be different in terms of what needs to be prioritised to be fixed. But ultimately, it's a combination of a threat led independent assessment of your organisation, combined with your own risk assessments, that's collation, with audit findings, standard inconsistencies, or non compliances, and self identification issues,” he said.
When asked for a specific strategy that has proven effective, McKenzie mentioned that many organisations take cues from industry standards like NIST and ISO. However, rather than rigidly adhering to these standards, successful companies adapt them to their unique contexts.
"You shouldn't just go with it, shouldn't just go with the standards or the industry standards approach and use that as a silver bullet for fixing your own estate. It needs to be adaptive, again, to your own business, and what the business wants and how you enable the business and also the threat landscape on top of it,” he said.
He suggested that organisations layer these standards with additional stress testing items and intelligence to craft actionable plans.