The terms “readiness” and “resiliency” complement each other, but they’re different.

In last week’s discussion around readiness and resilience, I introduced the concept of what it means to have “threat-informed” cybersecurity. This week, I want to show you what that looks like in the real world – how it should drive you to challenge more assumptions, reduce your attack surface, and game out real-world scenarios.

Long popular in the military, “readiness and resiliency” is a staple of cybersecurity, too. It makes sense. Both institutions value (1) being alert to threats and risks while (2) recognizing that the types of threats and risks themselves are less important than the reaction to them. But how companies PERCEIVE risk is often very different from how they TAKE ON risks. Over 90% of my penetration tests have concluded with successful entry into “secure” environments.

So, you (or your friendly neighborhood MSP) have just finished a vulnerability scan as part of a vulnerability management program and/or in preparation for penetration testing. But one ominous question looms: What next? Sorting through hundreds of thousands of vulnerability logs can be daunting, and determining which ones are worth investigating further is even less of a trivial task.