Chinese military strategist Sun Tzu is quoted as saying, “if you know the enemy and you know yourself, you need not fear the results of a hundred battles.” In cybersecurity terms, that means knowing the cyber-adversaries and associated tactics, techniques, and procedures (TTPs) they use to attack your organization.
Additionally, Sun Tzu’s quote extends to an organizational reflection where you must know everything about your technical, human, and even physical vulnerabilities in order to apply the best protection for critical assets.
How can organizations gain this knowledge? By attacking themselves through penetration testing and red teaming exercises. According to ESG research, organizations pursue penetration testing and/or red teaming at least once a year for the following reasons (note: I am an ESG employee):
- 26% conduct penetration testing/red teaming as a best practice for risk assessment
- 17% conduct penetration testing/red teaming because they are required to do so for regulatory compliance
- 14% conduct penetration testing/red teaming because it is mandated from executive management or the board of directors
- 13% conduct penetration testing/red teaming…
