Cyber security consultant with over five years of information technology experience working with clients in energy, education, government, and financial services sectors.
Red Team Results to Tangible Risk Management
As much as red teams love to believe that every vulnerability they uncover poses an immediate and urgent high risk – it is often not the case. Furthermore, it is seen that red teams are great at providing technical solutions, but often also fail to consider the size, scale, and scope of their target’s operations.
At times, framing every successfully executed MITRE ATT&CK technique does not equate to, or presents, a tangible risk to an organization. And presenting them as such ends up exacerbating the disconnect between technical teams and management - where a dire landscape fraught with risks around every corner is presented, with unrealistic goals and targets being proposed for remediation that just does not lend itself to actual implementation, especially within the small-to-medium enterprise landscape.
Hopefully, this speed talk can help red teams think about how to practically evaluate, translate, and present their findings to management. Helping red teams to share their knowledge and engaging in constructive dialogue around the risks an organization faces.