We hosted the crew from Hacker Valley Media on LinkedIn Live for a conversation on the top takeaways gained from our 2023 Offensive Security Vision Report. The report analyzed over 300,000 anonymized findings from thousands of pentest engagements to shed light on the state of offensive security and provide insights into how security teams can tangibly approach the evolving threat landscape.
NetSPI Head of Product Cody Chamberlain and guests Ron Eddings and Chris Cochran from Hacker Valley Media explored the highlights including the importance of prioritizing vulnerabilities, a constant reminder to focus on the basics, and how we can show empathy by asking for help while staying committed to the larger mission that keeps us connected: security.
Offensive Security Captured in 9 Quotes
These quotes come directly from Cody Chamberlain, Ron Eddings and Chris Cochran while participating in our LinkedIn Live webinar, “An Inside Look at NetSPI’s Offensive Security Vision Report.” We pulled these soundbites because they capture the state of offensive security in today’s landscape.
Prioritizing Remediation Efforts is the Key to Success
- “You have to find the needle in the haystack on which vulnerability to focus on. Unfortunately, it’s like finding the needle inside the needle stack. When the needle looks like all the other needles, how do you really find it?”
- “Prioritization is one of those beasts that’s just hard to wrangle.”
- “If you don’t have a mechanism to prioritize, you’ll be lost. You’ll prioritize the wrong things, and ultimately, waste time.”
Prioritizing vulnerabilities is crucial in breaking the cycle of vulnerability management challenges. Security teams simply can’t fix every vulnerability. Rather, they must focus on which vulnerabilities pose the greatest risk if exploited based on where they exist, the business priorities, the likelihood of exploitation, and the threat landscape.
Without effective prioritization, security teams are faced with a constant influx of alerts and information, leading to analysis paralysis and misused time. Prioritization allows teams to allocate their precious time and resources to fix critical and high-risk vulnerabilities, ensuring that the most impactful security issues are addressed first. However, establishing a prioritization mechanism requires initial effort and a willingness to ask and answer difficult questions upfront.
Go Back to the Basics
- “You want to play but you’ve got to clean your room before you play, right? You have to make sure you don’t have any public facing s3 buckets before you start playing with ChatGPT.”
- “It’s just another reminder that we really need to focus on the basics.”
- “Going back to those fundamentals is what’s going to lead to success.”
While the allure of new technologies is enticing, focusing on the basics and maintaining foundational security measures is essential to prevent breaches. Time and time again we find breaches happen because of simple mistakes that get overlooked.
Security teams must strike a balance between addressing business-as-usual security tasks and exploring new technologies that keep teams engaged and motivated, while also ensuring that the necessary groundwork is laid before diving into the latest trends. By achieving a mature security posture through focusing on fundamentals, organizations gain the freedom to explore new technologies and initiatives with a solid foundation in place.
Compliance Does Not Equal Security
- “In our hearts, compliance does not equal security. But compliance gets a lot of budget, which helps us do security.”
NetSPI’s Vision Report explored high-level industry data on vulnerabilities and security, showing the government, non-profit, and healthcare industries had the largest volume of critical and high severity vulnerabilities. On the other hand, the insurance and financial services industries had the lowest volume.
This indicates a stark contrast between two highly regulated industries: healthcare and financial services.
Healthcare security leaders have expressed challenges in keeping up with privacy regulations, while the financial services industry has leaned into evaluating and penalizing risk management deficiencies. Perhaps the healthcare industry will follow suit toward stricter enforcement.
Plan for Hiring Early On
- “A lot of times when you build your hiring plan, you don’t necessarily think, ‘okay, I’m going to need to articulate the value of someone entry level to my stakeholders.’”
This situation can result in a harder sell for an entry-level hire when the need arises. Results from the Offensive Security Vision Report reveal a pressing need for increased investment in entry-level cybersecurity roles. A significant majority of security leaders (55 percent) reported having five or fewer roles budgeted for in 2023.
Moreover, when asked about the number of entry-level positions, 71 percent of respondents indicated that less than one-fourth of the budgeted roles were allocated for entry-level candidates, and 46 percent had no plans for entry-level hiring in 2023. These findings underscore the urgency for the industry to prioritize investment in cultivating new talent. To address the global skills gap, it is crucial to provide hands-on training and support for individuals entering the cybersecurity field. By investing in entry-level professionals, the industry can move toward bridging the gap and fostering a robust pipeline of skilled cybersecurity experts.
Consider the Interconnected Nature of Your Role
- “The work we do is in the weeds. It’s asset management. It’s vulnerability management. It’s thankless, it’s frustrating. So anything that we as an industry can do to remind each other that there is a mission — there’s a bigger mission than all of us — is appreciated because security is interconnected.”
While it’s easy to get lost in the details on which vulnerabilities deserve the bulk of our attention, we need to stay grounded in the bigger picture: it’s not just about checking the box on a single task, but seeing how your effort fits into the larger picture of creating a secure end state for a business.