Darkingreading.com reported that “there seems to be a large gap between how companies should address cyber-risk and what they're actually doing.” The October 11, 2019 article entitled “Close the Gap Between Cyber-Risk and Business Risk” identified these points related to #2 Conduct and automate tests on an ongoing basis
…evidence is needed on an ongoing basis to demonstrate what is working or not working.
Companies tend to look to audits and penetration tests for this, but these approaches are limited — they provide only a one-time snapshot of security controls rather than an end-to-end picture.
Testing options exist that will not only identify vulnerabilities but also prescriptively fix them and validate that the fix is successful — and then automate the process for continued validation, particularly as environmental drift occurs, to ensure that what's working stays working.
In other words, fix it the right way, make sure it's fixed, and keep it fixed.
Here are all 4 recommendations to reduce Cyberrisk:
1. Stop assuming and start measuring.
2. Conduct and automate tests on an ongoing basis.
3. Be sure you're evaluating and implementing the right security solutions.
4. Report actionable information to the executive team.
What do you think?