1. Stop throwing money on products
2. Identify assets, processes, technology, threats.
3. Assess your current posture. Identify gaps.
4. Address gaps based on priority and
relevance. Consider cost (of impact, of ﬁxing).
5. Test effectiveness.
6. Back to 2.
• You are not ﬁghting off pentesters.
You are ﬁghting off actual adversaries.
• You are not ﬁghting off auditors.
You keep your organization working.
• You are not ﬁghting off regulators.
You are trying to keep yourself out of jail.