Wade Lance is the Field CISO for Synack.

Are you more secure this quarter than last quarter? Are members of your team learning and getting better? Are you finding deficiencies in your cybersecurity program and fixing them – or are you just swimming along from patch to patch, hoping for the best?

These tough questions are driving many organizations to overhaul their approach to security testing. It’s easy to argue a given security initiative reduces risk. The board is now demanding that you prove it.

Traditional security testing tends to be coin-operated: Perhaps you schedule a one-off pentest, find a vulnerability, fix it, report it to regulators if needed– end of story. There’s no attempt to actually learn about your overall security posture or change your long-term risk level.

Through our Synack Platform, you can review metrics that show the root causes of your security risks, giving you the tools and information to demonstrate to management that you’re actually solving problems. It’s a transformational approach that delivers the kind of information security leadership is demanding.

No more whack-a-mole

In one recent case, we tested a customer across an entire year. About 80% of the vulnerabilities we found over that timeframe had to do with authentication weaknesses. Yes, we’re going to keep finding the flaws and yes, members of our elite Synack Red Team of security researchers can keep validating they’re successfully patched.

Finding and fixing bugs is all fine and good. But if you keep seeing fruit flies in your house, shouldn’t you try to find the source rather than brushing them away one by one?

It was clear that this particular organization needed to boost its developers’ understanding of secure authentication practices so they could stop introducing new vulnerabilities. That deeper insight into authentication problems wouldn’t have emerged from piecemeal security testing aimed solely at ticking checkboxes for compliance.

Our Platform isn’t just about tactical advantages of tapping into a global network of 1,500-plus diverse, vetted security pros. Of course, we believe diverse perspectives in security testing are essential to hardening systems against the full spectrum of cyberthreats. But the Platform is also about offering customers adversarial testing that shows patterns and trends, so CISOs or security leadership have answers when the board comes knocking. That’s a game changer in today’s security landscape.

At Synack, we use transformational security testing to:

• Identify security process and posture weaknesses
• Track improvement in those conditions over time
• Communicate that risk reduction to senior leadership

Yes, we can augment your operational teams with scalable pentests, succinct (and fast) reporting and surge capacity for emergencies like the Log4j vulnerability. But we can also bring the receipts needed to document your security journey and show progress to executives. You won’t get that from traditional testing.

To learn more about the strategic value of the Synack Platform, book a demo or contact us here.

The post Leveling Up Your Security Strategy with the Synack Platform appeared first on Synack.

Wade Lance is the Field CISO for Synack. 

Picture this: You’re seated at a dinner table surrounded by a dozen security leaders. Appetizers are on the way, and the conversation starts to pick up. Your neighbor says something about the Russia-Ukraine conflict, while across the table, a few CISOs engage in a lively discussion about something they read in the Wall Street Journal. 

As field CISO for Synack, I’ve attended many such dinners with executives from a range of industries. The events offer a venue to speak frankly about security wins and challenges. Each CISO I’ve met on the road has brought unique perspectives on their most pressing cybersecurity concerns. Without naming any names, here are four themes I picked up on: 

Disaster readiness is urgently needed. To say Log4j was a wakeup call would be an understatement. Many CISOs were left scrambling to find on-demand expertise needed to respond to the open source vulnerability that seemed to be everywhere when it first appeared in the news last December. They lacked surge capacity to meet their cybersecurity needs at a critical time, as nation-state threats started exploiting Log4j before their own overworked teams could find and fix it.  One idea is to have a relationship with a Pentesting as a Service (PTaaS) partner so that surge capacity is immediately available in the same model that most organizations have with Incident Response partners.

Continuous penetration testing is great (on paper). Wouldn’t it be nice to have someone watching your back, ready to spring into action and find vulnerabilities at the drop of a hat? Sure, but is continuous pentesting really possible, let alone affordable? Getting to a place where top security researchers are constantly assessing their networks can seem like a mirage for organizations struggling to find cyber talent to fill 9-to-5 roles. But continuous development requires a new approach to security testing, so security leaders are looking at their options.

Auditors can be as motivating as malicious hackers. In 2022, it’s a truism that compliance does not equal security. CISOs understand that divide, but that doesn’t make it any easier to navigate. They need to keep auditors happy and keep hackers at bay if they want to stay off the front page of the Wall Street Journal as the next victim of a major hack. That means scaling security teams to juggle both shifting regulatory requirements and constantly evolving cyberthreats. Easier said than done.

Ditch the swag. OK, I’ll admit this one hurt a bit to hear. I love a YETI tumbler as much as the next security pro. But I also understand why CISOs–who know what’s at stake in our cyberthreat landscape–aren’t itching to wear branded socks or apply a Synack patch to their suits. This is a serious business!

…

By the time I steer the conversation back to Synack, I’ve heard fascinating and sometimes provocative viewpoints from the people on the front lines of security leadership. (At one dinner, I was flabbergasted when I heard an executive claim, “We’ve never had any breaches and don’t really consider ourselves a target.”) 

Here’s what Synack brings to the table:

• Surge capacity. For the Log4js of the world, our global Synack Red Team of 1,500+ elite security researchers stands ready to bridge the cyber talent gap, augmenting your own organization’s infosec capabilities when major vulnerabilities drop. But this relationship needs to be in place before the next new vulnerability is discovered to engage researchers immediately, instead of waiting to get through the onboarding process with a new vendor.
• Diverse perspectives. Synack Red Team members hail from over 80 countries and bring a depth of knowledge that can’t be replicated by in-house pentesters. Your diverse security needs call for diverse answers that just aren’t available from smaller, local teams.
• Continuous and on-demand pentesting. Our Synack Platform is a one-stop shop where you can harness the talent of our Synack Red Team to find and remediate vulnerabilities that matter, generate clear, actionable reports, check off security tasks to assist with compliance and scale up tests as needed to keep up with your software development process. 

To find out more, you can contact us to schedule a demo here. Or maybe I’ll catch you around the dinner table on my next trip!

The post Overheard at the CISO Table: 4 Takeaways From Dinner Discussions appeared first on Synack.