In part 1 of this series, Jeremy explored how cybersecurity investments should mirror financial portfolio management - spreading risk through diversification and continuously evaluating performance. Now he turns to a crucial next step: actively testing those investments to find where they might fail you.
Ever played with an image editing tool and negative inversion of colours? Sometimes reversing the tone of an image will show up details that weren't clear to the eye when seen in a positive or normal light.
The same is true when we go looking for holes in our cybersecurity defences. There are a number of methods for doing this, such as:
Penetration testing, which shows you the front door vulnerabilities like misconfigurations, unpatched systems, and obvious weaknesses that an attacker would exploit first.
Threat simulations that test whether your controls actually stop the attacks they're designed to block. Your email filter might be deployed, but does it catch the phishing emails that are actually targeting your industry?
Red teaming, which goes deeper, simulating a determined adversary over weeks or months. Can they get in? More importantly, can your team detect them once they're inside?
Purple teaming, which brings your attackers (red team) and defenders (blue team) together to learn from each exercise. The red team shows what worked; the blue team tunes their detection and response.
The reality is that any defence strategy has gaps, and the tuning and adaptation of security tools can be as important as having the tools in the first place.
It is often easy to focus on the capabilities we do have in place, without understanding if they are effective or not.
Testing Your Defences in the Real World
I like old cars and have an old Datsun that has been a labour of love for many years. It doesn't get driven - it gets worked on (sparingly). Yes, one of those car projects…. A few years ago, I was moving the car and taking it off a trailer. As it rolled backwards with me in the car, I pumped the brakes to feel the pedal go straight to the floor. No brakes. You can guess how that ended (fortunately at low speeds and with a trailer winch still attached).
If I were driving 100 km p/h and coming to a bend in the road, that story would have been disastrous.
In a similar sense, we don't want a high-speed collision when our security controls invariably don't function as expected. And the reality is, we are faced with an almost infinite number of scenarios in which our defences may be tested. Mapping out scenarios that we see as risks to our business, and testing our defences against them, is an incredibly valuable exercise.
Like a negative of an image, it can show up the unexpected and allow us to tune our defences appropriately.
In part 3, I’ll look at what happens when those defences are truly put to the test - and how to prepare for when the flag goes up.
