CyberArk CEO Udi Mokady lines up for a Security Slap Shot on the need for security leaders to be productively paranoid. Credit: Thinkstock “Just because you’re paranoid doesn’t mean they aren’t after you.”Joseph Heller penned that in Catch-22. It captures the challenge of many security leaders today. In a profession that breeds paranoia, we need to worry less about how paranoid we are and ask ourselves, “How productive is our paranoia?”Udi Mokady (LinkedIn), founder, chairman and CEO of CyberArk, has some ideas on how to answer the question.A few months ago, I talked with Mokady about the need to “sprint before getting forced to scramble.” During that conversation, I asked if he saw a trend in the security leaders advancing their positions. Without hesitation, he explained that the leaders embracing red teams had a deeper understanding and were demonstrating more success. I asked him to expand a bit. Here’s his security slap shot:Security leaders must be ‘productively paranoid’Successful business leaders understand the power of disruption as a pathway to anticipating unstated future customer needs. The concept of disruption as a force for innovation is powerful in the field of cybersecurity and often pushes business leaders to problem solve in new or unexpected ways. Proactively simulating attacks on your own organization is an excellent example. With now-broad acceptance that attackers will get in and that compromise is expected, there are distinct advantages to being “productively paranoid.”Security leaders who are productively paranoid fully embrace the idea that the best way to play defense is to start playing offense. This doesn’t mean companies should “attack back,” but they need to understand the mindset and pathways attackers take to infiltrate organizations. This is why CyberArk encourages customers to consider the benefits of conducting red team exercises.Attackers are continually honing their skills and looking for new vulnerabilities to exploit. Security teams must have an equally agile approach — with the ability to confidently identify weak spots before the attackers do — and mitigate associated risks.Effective risk management becomes harder as enterprises embrace cloud and DevOps strategies, which can expand the attack surface and create new blind spots. Red team exercises are designed to simulate a real-world adversary and test the security operations team’s ability to respond to advanced threats. By conducting red team exercises, enterprises can test their ability to detect and protect against known and unknown threats, find their most vulnerable points, and better understand what steps attackers may take during the phases of the attack.Whether conducted by internal teams or by external groups, it’s important for business leaders to remember that red team exercises don’t result in a pass or fail grade. Attackers will always find a way in, and organizations should take an “assume breach” approach in their security posture. With the current threat environment, CEOs and boards will increasing ask if this sort of proactive testing and threat simulation is happening. With red teaming, organizations can do more than demonstrate that they are checking boxes; they are demonstrating a quantifiable commitment to risk management that puts security first.My analysis (color commentary)I want to amplify a key point: Proper testing is not pass or fail. I see a lot of security leaders get the required test to satisfy a requirement. Or they use it as a way to demonstrate a need for something. While those might be important, testing is a way to better understand what is likely to happen. Proper testing — embracing a red team, for example — is a great to clarify your focus and prioritize your effort on what is going to make the most difference. The more we understand the reality of attackers, the better our ability to defend. And sometimes that means building in the right resilience. I’m not worried about a breach, per se. I’m more interested in how quickly you detect a breach and how rapidly you respond appropriately. Embracing your red team efforts might just give you an edge.Your turn — reactHow do you feel about red teams? Are you getting the most of your red team efforts?Take it to Twitter and engage with me (@catalyst) to let me know what you think.Ready, set, react! Related content opinion To combat phishing, you must change your approach Kevin O’Brien, CEO of GreatHorn, discusses why employee training isn't effective in combatting phishing and what companies should do instead. By Michael Santarcangelo Sep 27, 2017 7 mins Phishing IT Leadership opinion Are you ready for ‘Moneyball’ security? Mike McKee, CEO of ObserveIT, lines up for a Security Slap Shot on the benefits of an evidence-based approach to security. By Michael Santarcangelo Sep 20, 2017 4 mins IT Leadership opinion Your security scars are the key to innovation Ben Johnson, CTO and co-founder of Obsidian Security, lines up for a Security Slap Shot on driving innovation in security and business based on experience. By Michael Santarcangelo Sep 14, 2017 4 mins IT Strategy Careers IT Leadership opinion We need to stop dehumanizing security before it’s too late Gary Golombco-founder of Awake Security, lines up for a Security Slap Shot on the need to bring the human element back to the security operation center. By Michael Santarcangelo Sep 05, 2017 5 mins Data Center IT Leadership Security Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe