How do you manage your security portfolio? Do you use regulatory frameworks as a basis? As a target? Experience shows that these frameworks are an important starting-off point but should not be considered the targeted end-state.
How confident are you that your controls will function correctly during a real attack? Time and time again, we see that having the controls does not mean they will work in a real emergency. If they don’t work as intended, is it because they’re not configured correctly? Or do you have a gap?
Congratulations! You invested in getting the best of breed controls and the best talent to configure, manage, and monitor these. Now, how do you test your environment?
You know how to test your controls, but when should you do it? And how often? Most frameworks and best practices guidelines suggest you do so annually or when you make a major change to your environment, but how does the external threat landscape come into consideration? You now have the insights and data to show your controls will function in a real-world attack. How do you use this intel when talking to your board? Is it always doom and gloom or is celebrating successes equally important?
This presentation makes a case for integrating continuous breach attack simulation as a practical approach to rationalizing your security portfolio. We examine the notion of abiding by the spirit of the compliance framework vs. the letter of that framework and discuss how you can get the most benefit out of your security controls through simulating real-world scenarios without risk to your environment. We then conclude with the positive impact that performing continuous breach attack simulation can bring to your communications up to the executive and board level.
Chief Information Security Officer
Avi joined SafeBreach in 2021, with almost 30 years as a senior information security leader with multiple companies, including Wells Fargo, E*Trade, and Experian. He has created and implemented security programs with a focus on best practices and control maturity. Avi's information security career started with his service at the Israeli Defense Forces Unit 8200. His career spans multiple roles and domains across information security, including product research and development, professional services, customer support, consulting, and strategic leadership. Avi holds a dual MBA from UC Berkeley’s Haas School of Business and Columbia University’s Business School. He is CISSP, CISM, CRISC, CISA, CIPM, and CIPT certified and holds the Stanford University Strategic Decision and Risk Management program certification.
Senior Vice President of Content Strategy
Jill Aitoro is senior vice president of content strategy for CyberRisk Alliance. She has more than 20 years of experience editing and reporting on technology, business and policy. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.