Many well-known security incidents appear to have a common pattern. They are not the result of some awesome attacker capability to exploit some hitherto unknown vuln. or to realize a risk from some combination of controls weakness not contemplated.
1/15
2/15
3/15
“But didn’t we have a [ process | tool | component ] to stop that happening?”
4/15
5/15
1. Build a catalog of key controls using a well formed ontology (I’ve not totally drunk the overall FAIR cool-aid but their controls ontology is very good).
6/15
7/15
8/15
9/15
10/15
11/15
12/15
13/15
14/15
Validate continuously.
15/15