Last Updated on December 17, 2022
The maxim “Ignorance is bliss” doesn’t apply to CISOs and other security leaders. They’re dealing with a barrage of threats they’re already aware of—everything from home office threats to cloud security threats to nation state adversary threats to insider threats.
But what worries security leaders the most these days is all the threats they don’t know about. How can you address risks if you don’t even know they exist?
To talk about digital business risk and how it relates to your company’s known and unknown attack surface, a recent episode of The Virtual CISO Podcast features David Monnier, Chief Evangelist and Fellow at Team Cymru. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Tell me something I don’t know
Both David and John have observed that the security decision-makers they’re talking to are most concerned about potentially significant vulnerabilities they’re currently blind to.
“I think CISOs are inundated with a lot of what they already know,” David observes. “Everybody wants to tell them the same story, just using some new words or some new variation or some new whatnot. They spend a lot of time weeding through products that are largely just different wrapping papers over the same stuff they’ve seen before.”
“The real value in life is learning things that you didn’t know previously,” asserts David. “So, we [at Team Cymru] try very hard to make that a reality. We try to provide a layer of threat intelligence that goes [beyond] a normal attack surface management (ASM) view.”
What is digital business risk management?
That expanded attack surface view encompasses formerly unknown risks like vulnerabilities in your infrastructure that were below your radar. Or malware on your network that you didn’t know was there.
“The attack surface space was an obvious place to apply intelligence to show people something that they didn’t know before about their infrastructure,” David explains. “The things that show me something that I didn’t know to know are truly the most valuable. Even if you’ve shown me some terrible reality that I’m totally ill-equipped to deal with, at least now I know about it.”
The concept of digital business risk management seeks to integrate vulnerability management and threat intelligence with comprehensive asset discovery, so organizations can map all their digital assets, as well as those of partners/vendors and other third parties if they wish.
“The number one thing that keeps people up at night is that haunting feeling that there’s something else that’s gone on that they just don’t know about,” David believes. “[Identifying] that is exactly how our solution aims to help CISOs.”
To listen to this podcast episode with David Monnier, click here.
Are you aware of all the risks to your databases? Probably not, according to this blog post: Your Database Attack Surface is Bigger than You Think