Being a cybersecurity practitioner 15-20 years ago sometimes made me the unpopular guy in the room. People are always excited about financial gain – opening new lines of business, developing creative and sustainable revenue streams – you know, the fun stuff. But nobody wanted to talk about cybersecurity-related financial losses at that time – especially not potential losses due to risks that very few people understood yet.

The terms “readiness” and “resiliency” complement each other, but they’re different.

In last week’s discussion around readiness and resilience, I introduced the concept of what it means to have “threat-informed” cybersecurity. This week, I want to show you what that looks like in the real world – how it should drive you to challenge more assumptions, reduce your attack surface, and game out real-world scenarios.

Long popular in the military, “readiness and resiliency” is a staple of cybersecurity, too. It makes sense. Both institutions value (1) being alert to threats and risks while (2) recognizing that the types of threats and risks themselves are less important than the reaction to them. But how companies PERCEIVE risk is often very different from how they TAKE ON risks. Over 90% of my penetration tests have concluded with successful entry into “secure” environments.