By Alexander Kaufman | CISSP, CISA, GSTRT, GSNA Back in 2002, Donald Rumsfeld, the US Secretary of Defense, broke down threats into three categories of “knowability”:
- Known knowns – those are the things we know that we know;
- Known unknowns – those are the things we know we don’t know;
- Unknown unknown – this category includes the things we don’t know we don’t know.
- Leaders be aware that information security risks are like an iceberg – less than 10 per cent are visible, and the rest are under the surface;
- There is no such thing as a long-term Information Security Program. A Security program must be dynamic and provide appropriate responses to existing cyber threats;
- Organizations must adopt a proactive information security approach to reveal the risks that lurk under the surface. Being proactive in cybersecurity is more cost-effective than staying reactive;
- New practices and continuous security testing must be developed and implemented to optimize the effectiveness of security controls, and to provide an adequate response to security gaps;
- The “Let’s fix what we know first” approach will never work. This is a never-ending process of fixing known gaps, which will go on forever. In order to make it more effective, organizations must adopt more comprehensive approaches to identify the unknowns and turn them into knowns.