Beyond the Status Quo: Innovative Approaches to Complex Cyber Threats

Many organisations struggle to keep pace with rapidly changing cyber threats.?

It's no wonder that traditional security measures aren't cutting it anymore. Seasoned experts agree that organisations must embrace fresh approaches that challenge the status quo to stay ahead of malicious actors.

In this month's newsletter, top cyber security minds share the strategies, ideas, and lessons that reshape views and fortify systems.?

From updated pen testing methodologies to refined vendor risk management, we explore how you can take the lead from the best and redefine your game.?

Discover how to identify control gaps, level up your Security Operations Center (SOC), and master the fundamentals of cyber defence (yes, you must). Get a better understanding of the persistent threat of social engineering and unlock Red Teaming Plus.?

Let's start.?

Cyber Security Innovation with Robin Fewster: A New Paradigm for Pen Testing and Compliance

Despite advancements in the last decade, pen testing still requires significant improvements to address security challenges effectively, says Robin Fewster , Senior Manager of Security Testing and Cyber Defence at Hargreaves Lansdown.

Drawing from 23 of experience in the field, Robin shared valuable lessons on why we need to do things differently:

• Many cyber security consultancies still do the same things that don't work out well: extensive lead times, overreliance on rigid scoping documents, and a lack of communication during the engagement.
• Penetration testing has become commoditised to some extent, with many firms offering standardised, automated solutions without considering the specific context of the organisation they're testing.
• A more flexible and integrated approach to pen testing would allow security consultants to work more closely with internal teams to understand their unique security needs and deliver more meaningful results.
• Collaboration creates trust and allows for open communication, leading to more effective security strategies and outcomes.

Watch Robin's discussion with Dan Haagman to discover what the future of pen testing holds.?

Partnership Over Process: Mark LoGalbo's Strategies for Refined Vendor Risk Management

Collaboration and partnership are also at the heart of Mark LoGalbo CISSP 's enhanced vendor risk management strategies.?

Currently the VP of Information Security at Fanatics Holdings, Inc., Mark shared his insights on the art and science of managing vendor risk. Here are a few key takeaways:

• We throw pre-canned questionnaires at vendors and just expect many questionnaires back. This approach fails to address deeper, more systemic issues that can lead to security vulnerabilities and breaches.
• Effective vendor risk management should balance risk and reward, supporting the business without becoming a roadblock.
• A partnership approach with vendors is more beneficial than an adversarial relationship.
• A vendor's willingness to acknowledge and manage existing security weaknesses demonstrates a more mature information security program.

Read more on our blog to discover how to streamline vendor assessment and the benefits of continuous monitoring.?

Christian Toon on Reinventing Cyber Security Leadership

Why do many companies still treat cyber security as an isolated technical problem?

This question lies at the heart of the challenges facing today's security leaders, according to Christian. T. , Head of Cyber Professional Services at Pinsent Masons.?

In a recent conversation with Dan Haagman , CEO of Chaleit, Christian shared his insights on how security leaders can elevate their role and break out of technical silos:

• The Marvel Avengers have the ideal blueprint for a security team to bring together people who wouldn't usually work together, who have these special diverse skills and experiences to step up to the plate when it matters.
• Security is typically seen as an isolated station within an organisation. We're guilty of perpetuating that stereotype by claiming that what we do is too technical or detailed for anyone else to understand.
• Many businesses lack the in-house skills necessary to determine their cyber security needs. In this context, companies need a more critical approach to vendor selection and implementation, emphasising proper control design and threat modelling.
• Collaboration enables security leaders to gain more traction with senior leadership and ensure that security concerns are viewed through a broader business lens.

There you go — collaboration comes up again and again in our interviews with industry experts. And it's a core value driving our interactions with clients.?

Speaking of client interactions, Josh Fulford , Account Executive at Chaleit, had two stories last month that stemmed from listening closely to clients' needs.?

Red Teaming Plus: A Strategy for Proactive Cyber Security

Josh has noticed a lot of interest in the concept of "Red Teaming Plus," a security approach that goes beyond the conventional scope of red teaming.

The Chaleit team has had excellent results using this methodology in multiple engagements, so he presented it more broadly. Here are a few ideas if you're curious, and make sure to check out the whole article:

• Traditional red teaming involves designing scenarios to test technical, process, and human vulnerabilities. However, this approach can easily create a year's worth of problems for a client in a single engagement.
• While identifying critical vulnerabilities is valuable, the true magic lies in the learning and continuous improvement that accompanies these exercises.
• Red Teaming Plus shifts the paradigm from an adversarial process to a collaborative one.?
• Instead of merely attacking and reporting, the Chaleit team works closely with the clients throughout the exercise to leverage their deep knowledge of their own systems, ensuring that our scenarios are realistic and relevant.

Explore further to understand the difference between read teaming plus vs. purple teaming and how the concept translates into action.?

Cyber Security Controls: Managing Overload and Ensuring Effectiveness

Another recurring theme in Josh's client interactions has been the challenge of managing cyber security controls effectively.?

Many organisations are dealing with an overwhelming number of controls and alerts, insufficient staff, and a lack of clear prioritisation.

While tools like vulnerability scans and Security Operations Centers (SOCs) are valuable, they can sometimes generate an enormous amount of unwanted noise. This often leaves teams struggling to separate critical issues from background chatter, Josh notes in his article.?

There's a common misconception that once an annual SOC agreement is in place, an organisation can relax its vigilance. However, this couldn't be further from the truth.

But we'll let Dan Haagman take the floor for an in-depth conversation about SOC efficiency.?

Level Up Your SOC: Practical Strategies for Boosting Security

Drawing from real-world experiences and hard-earned lessons, Dan has been sharing in his bi-monthly newsletter Cyber Securi-Tea actionable strategies to help organisations elevate their SOC from a mere security checkbox to a robust defence mechanism.

Whether you're in the planning stages, struggling with a newly implemented SOC (or any other cyber security control), or looking to streamline an existing one, Dan shares five practical strategies to make a real difference in your security operations:

1. Start with a risk analysis and threat modelling
2. Embrace the long tail of tuning
3. Implement continuous and periodic assessments
4. Maintain a comprehensive asset inventory
5. Improvement and adaptation

Find the details in Dan's latest newsletter.?

Details were also on Roscoe Platt 's mind last month but from a different angle.?

The Devil's in the Details: Getting the Fundamentals Right

You can have the most advanced security tools, but if they're not implemented correctly or if basic security hygiene is neglected, you're leaving the door wide open for attackers, Roscoe observes in his article.?

Chaleit's VP of Client Services offers several strategies to make sure you get the fundamentals right, including:

• "Chip away" at security improvements. First, focus on tackling the lowest-hanging fruit, then gradually work your way up to more complex challenges.
• Take your SOC to the "gym." Purple teaming helps ensure SOC effectiveness by identifying not only problems but also areas for improvement.
• Use technology to enforce good security practices. Automated tools can ensure the proper implementation of password policies and access rights.

Once you make sure the door is locked, check under the flower pot — someone might have left a key there (i.e. social engineering).

Social Engineering: Cyber Security's Perennial Weak Spot

Roscoe explains that no matter how sophisticated technical defences become, social engineering continues to be the Achilles' heel of even the most secure organisations.

What makes social engineering particularly challenging is that it exploits fundamental human behaviours and organisational cultures that are hard to change. Even more concerning is when those at the top of an organisation become the weak link.?

Continue reading to discover ways to address these challenges and minimise the damage.

Identifying Control Gaps: Building a More Resilient System

We wrap up this month's newsletter with another set of strategies aimed at minimising damage.?

If you're wondering what keeps security professionals up at night, it's control gaps — the hidden weaknesses in organisations' security measures that attackers can't wait to exploit.

In his nearly 30 years of experience working with businesses across various sectors, Dan has seen first-hand how even the most seemingly secure systems can harbour these gaps. He says it's not about fear-mongering but about facing reality and taking proactive steps to build truly resilient systems.

Read his analysis of what control gaps are and discover valuable lessons and best practices for building more resilient systems.?

What security challenges keep you up at night? Share your thoughts in the comments, or feel free to drop us a line. We'd love to help you get a better night's sleep.?