David Carvalho, Global CISO, OCS Group

You Must Account for Entirely New Kinds of Risks

  • You can have a provider with many certifications and service-level agreements in place, but providers will not be liable for your losses or for your non-compliance.
  • In a blockchain strategy, you use continuous polling to validate all devices. A hacker would need to change all the devices at once in order to compromise one device, which is a practical impossibility.

“Have vulnerability scanners look at your assets from the inside out and also scan from the outside in, to give you the hacker’s view. Check one scan against the other, and patch vulnerabilities quickly”

David Carvalho, group chief information security officer (CISO) for OCS Group UK and a self-described hacker with board-level acumen, warns that in a modern IT ecosystem designed more for ease of use than for security, companies must recognize that hackers will gain entry.  “The hacker always wins against the defender,” he says. “As a defender, I have to leverage real-world tools and budgets, and my liability is absolute. Hackers leverage their imagination, and their liability is zero.” Companies must build security strategies based on realistic risk assessments and practical risk management decisions, Carvalho notes.

This is an excerpt from Reducing Cyber Exposure From Cloud to Containers. The eBook was generously sponsored by Tenable.