Summary
1. Stop throwing money on products
2. Identify assets, processes, technology, threats.
3. Assess your current posture. Identify gaps.
4. Address gaps based on priority and
relevance. Consider cost (of impact, of fixing).
5. Test effectiveness.
6. Back to 2.
REMEMBER!
• You are not fighting off pentesters.
You are fighting off actual adversaries.
• You are not fighting off auditors.
You keep your organization working.
• You are not fighting off regulators.
You are trying to keep yourself out of jail.