DarkMatter CEO on why auditors and hackers need to sit around the same table

Popular media does a great job of contrasting the typical auditor and hacker. The former is highly organised, carefully dressed and wedded to lists, rules and standards. The hacker is in many ways the total opposite. He or she is extremely casual, harbours disdain for order, rules and hierarchy of almost any kind, and embraces uncertainty and ambiguity.

So it’s hard to imagine the two working together. But if you want to address cyber security needs effectively, that’s exactly what needs to happen. Auditors and hackers working together is the best way to build resilience into an organisation’s cyber security posture.

Firms have adopted the term ‘resilience’ to convey a sense of next-generation protection and to address the reality that, nowadays, preventing attacks is not guaranteed. With an expanding number of zero-day exploits, increasingly sophisticated social engineering tricks, massively resourced adversaries, and exponentially expanding attack surfaces (thanks to the internet of things) preventing all attacks is history.

However, the resilience that I’m describing is not about how well an organisation’s teams coordinate their response in the face of an attack, or how a company’s systems are designed to monitor changing environments, or even how big data analytics can be used to scour your web traffic, software and endpoints for weaknesses.

I’m not referring to resilience generically; I’m using it to describe a very specific approach, and this approach involves ‘auditors’ and ‘hackers’. Neither group in isolation can provide the kind of protection – the kind of resilience – that organisations require today.

Auditors who come to assess an organisation with lists developed by national authorities, international standards bodies, or any other prescribed schemata are great at scoring and quantifying. They can provide data to decision makers on what needs to be done to improve the security posture and to say, “this system is compliant”. But as we all know, just because a company’s password regimen has ticked the regulatory box, it doesn’t mean every employee’s password will stand up to the persistent determination of a clever hacker.

This is the trouble with compliance. It’s certainly better than nothing, as it sets a minimum floor of cyber security protection. But being certified compliant does not mean the organisation is impervious to breach. It’s why you can win the compliance ‘battle’ but lose the ‘war’, in the case of a successful breach.

On the other hand, penetration testing (pen testing) by white hat hackers is recognised as a crucial tool for determining how prepared an organisation is to attack. And yet, by itself, it leaves an organisation unsure, in a methodological way, what it got right and what it got wrong. If the pen test does succeed in hacking a user’s password, it doesn’t provide a measurable way to understand why the security failed and whether this is systemic in the organisation or isolated.

A company that has received all ‘A’s for compliance to applicable standards and regulations doesn’t really know if it will hold up against an attack. Meanwhile, the results of a pen test don’t give organisations a comprehensive list to quantify what went right and wrong. Without such methodology, being sure you’re making the right changes is exceptionally difficult.

By combining the competencies of auditors with hackers, a fuller, more actionable picture emerges. Entities are able to gain confidence that their networks have been tested from almost every possible angle, through a framework that methodologically scores their posture against all relevant standards and regulations and quantifies via a clear format why some areas were successful in defending against attack and others weren’t.

To be clear, this approach isn’t new – it’s just new to IT and IoT. Oil and gas, aviation and new drug development – just to take a few examples – have all used a similar system. A system is modelled, and then months and even years are spent imagining and testing the model against every conceivable scenario.

By combining advanced, intelligent pen testing within an auditor’s meticulous framework, entities gain quantifiable insights into their organisations’ strengths and weaknesses, along with the confidence that comes from some of the most rigorous pen testing available.

Auditors and hackers need not be the best of social friends, but when you want to make sure your organisation is resilient against cyber attack, you definitely want them in the same room together.

Faisal Al Bannai is founder and chief executive officer of DarkMatter