Chief Information Security Officers have become sought-after high-level professionals at the request of the Financial Supervisory Commission. How can they grasp current information security threat trends and arrange information security resource allocation while maintaining compliance?
Dave Cole of the offensive cybersecurity company DEVCORE was recently invited by Microsoft to appear at the Microsoft CISO Salon. He shared his thoughts on enterprise cybersecurity risks and resource allocation from a white hat hacker's perspective, and also explored the best investment strategies for corporate cybersecurity with Microsoft representatives.
Microsoft launched the CISO Salon, a communication platform for enterprise security teams, in April this year, inviting industry professionals to discuss technology, regulations, market trends, and talent development. DEVCORE was invited to become the first external partner of the CISO Salon, working together to identify optimal security configurations and enhance security protection capabilities across various industries.
Cybersecurity risks are hard to prevent; attack-side thinking can help cybersecurity chiefs achieve twice the result with half the effort.
The epidemic has accelerated the pace of digital transformation in the industry, making cybersecurity threats more serious than ever a hidden concern for companies. The Financial Supervisory Commission also recently announced a two-stage requirement for listed companies to set up cybersecurity-related units, causing large companies to start looking for suitable chief cybersecurity officers and formulate more comprehensive cybersecurity strategies.
DEVCORE, one of the few "offensive cybersecurity companies" in Taiwan dedicated to researching world-class attack methods and possessing extensive experience in detection and cybersecurity risk assessment, uses an "attacker's perspective" to help CISOs assess risks and allocate resources. DEVCORE CEO Hao-cheng Weng stated at the CISO Salon that the biggest challenge facing businesses today isn't the difficulty of complying with regulations or a lack of strategy, but rather the fact that the cybersecurity risk landscape is far larger than businesses imagine. The information asymmetry between defenders and attackers makes it difficult for businesses to identify key attack areas from a hacker's perspective and effectively deploy appropriate protections. Consequently, unprotected areas often become attack paths, leading to losses for the business.
DEVCORE CEO Weng Haozheng stated, "When reviewing risks, we recommend that companies should not only examine regulatory requirements to select protection scope and targets, and procure information security equipment and services, but should also comprehensively consider external risk assessment methods such as red team exercises and penetration testing to verify the effectiveness of their investment in information security protection. This should include continuously reviewing the investment of information security resources, including monitoring coverage, event accuracy, and response time, to identify unknown risks."
Allocating information security resources is more than just adding budget; correctly assessing the scope of risk is more critical.
Furthermore, with the increasing frequency of cybersecurity crises, corporate budgets for cybersecurity have become a key concern. Most organizations have already increased their cybersecurity budgets to comply with regulations and for sustainability reasons. However, DEVCORE's long-term observations indicate that many companies overly focus on known, existing vulnerabilities in budgeting and planning, overlooking the potential high impact of undiscovered system vulnerabilities. Therefore, allocating budget to external teams with offensive capabilities to assist in drills can effectively mitigate risk.
"Companies should recognize that cybersecurity budgets, as a crucial component of maintaining stable business operations, should not simply be a portion of the IT budget but should be considered from the perspective of ongoing operations. Strategic thinking is often more effective than simply purchasing weapons. Companies should allocate budgets or make purchases based on actual risks and formulate appropriate budget plans based on the scope of risk assessment to optimize cybersecurity investments. Within the scope of risk assessment, consider shifting from passive to active, adopting a 'hacker mindset' and using red team exercises to identify potential threat areas in the system, fully optimizing the company's risk assessment mechanism and improving the overall quality of cybersecurity protection," Weng Haozheng shared at the meeting.
DEVCORE and Microsoft collaborate to help Taiwanese companies withstand cybersecurity challenges
DEVCORE, a world-class offensive cybersecurity company, officially launched its red team drill service in 2017. This service helps companies in industries with high cybersecurity requirements, including government, finance, semiconductors, e-commerce, and healthcare, to verify whether their security protections are in place. Through actual drills, DEVCORE further verifies companies' cybersecurity capabilities and identifies potential vulnerabilities.
In addition, its research team has reported vulnerabilities in over 30 product types, including those of Pulse Secure, Fortinet, Palo Alto, and Jenkins, and has received bug bounties from companies such as Amazon, Facebook, GitHub, and Google. The DEVCORE team was also the first in the world to discover and immediately report a zero-day exploit in Microsoft Exchange servers, enabling the company to patch the vulnerability in a timely manner to avoid further losses. The DEVCORE team was publicly thanked by Microsoft on March 3 of the same year.
Zhu Yifang, Vice General Manager of the Microsoft 365 Business Unit at Microsoft Taiwan, said, "Microsoft Taiwan believes that cybersecurity isn't the responsibility of a single vendor. Instead, through a layered approach where each organization performs its own duties, enterprises can leverage existing resources to integrate all cybersecurity intelligence into a single platform for real-time monitoring and maximum cybersecurity protection. This can only be truly achieved if enterprises have professionals with cybersecurity expertise. We are honored to invite DEVCORE to participate in the Microsoft CISO Salon to help Taiwanese businesses and organizations combat ubiquitous cybersecurity threats and attacks, jointly resist cybersecurity challenges, and contribute to Taiwan's cybersecurity protection."
