“The key determinant of whether or not you had a breach wasn’t anything you could control. It was who was after you,” said Josh Corman (@joshcorman), Director of Security Intelligence for Akamai Technologies, who suggests an adversary-centric risk prioritization.
Your security plan should be built around your adversaries. Corman believes that security ROI is bunk and instead recommends building an adversary ROI.
“If you know who first is after you, you know what assets they tend to go after, and how they go about them,” said Corman.
David J. Etue (@djetue), VP of Corporate Development Strategy of SafeNet, has been working alongside Corman to develop this adversary-centric risk prioritization model, and he’s tested it out with a client of his in the defense industry. In one instance they spotlighted a specific nation state that was going after some specific data and focused their security efforts to simply make it more difficult for their adversary to attack them.
“A risk requires a threat, a vulnerability, and a negative consequence. We’ve spent all this time on vulnerability because that’s what we’re comfortable with. That’s what we can reach out and touch and control. The reality is the way our attack surface is played out it is approaching infinity. We’re at a point now where you need to focus on the other variables. It may be easier to take a threat-driven approach to your security,” said Etue.
And don’t think of just “bad guys” as a threat. To many CISOs the number one threat are auditors, said Corman.
Stock photo of people with “anonymous” masks courtesy of Shutterstock.