Identify

Assessments and questionnaires are slowing down business, yet there’s no evidence they improve security Your security team has spent hours this week alone on security questionnaires despite your organization’s unpatched systems, unfinished and untested disaster recovery plans, and unencrypted backups. Sound familiar? Security analysts’ desks are awash these days with the spreadsheets, Word documents, and even custom apps organizations use to quiz prospective vendors about their security practices before buying a product. That product is usually an online app, known in the industry as software as a service (SaaS). ...

When we security types talk about “attack surface” or “threat surface,” we mean the part of our technology environment that’s potentially vulnerable. Think of your skin. We wear clothing to protect it from the sun’s harmful rays. A construction worker wears heavy leather to guard against wounds from tools and sharp materials. A cook wears an oven mitt to avoid burns. Any skin we leave exposed is vulnerable to these threats. We often deliberately accept these risks—for example, wearing just a swimsuit to the beach—sacrificing some security for some enjoyment and versatility. Ideally, we use good judgment and make a sensible, balanced risk decision. We can also use compensating safeguards (e.g., sunscreen) to limit the downside risk of our decision. ...