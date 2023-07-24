Trust is and always will be a two-way street, and verification is how trust is earned and maintained. The old proverb "trust but verify" drives home the point that one should verify everything before accepting or committing to a course of action.

Every enterprise, regardless of sector, has engagements which require trust, be they with colleagues, employees, suppliers, or vendors. CISOs know this better than most, as they are often bringing tools into their security mix to help protect assets and are trusting that these will work as advertised. Yet, anyone familiar with 30 years of Silicon Valley marketing hype has become very familiar with the term "vaporware" -- clearly, trust can never be absolute.

I am by nature a skeptic, and even my own family has long labeled me a doubting Thomas. I am a big fan of verification and that makes me a big fan of Horizon3 CEO Snehal Antani, whose use of the proverb is front and center in his company's marketing efforts but with the words "trust but" crossed out -- leaving only "verify."

In a conversation at RSAC 2023 on the huge merits of red teaming, Antani reiterated his contention that there should be "no trust," that his advice to CISOs is always "don't trust," and that the only secure policy is to go with simply "just verify."

More recently, I had the occasion to revisit the discussion and ask Antani to expand on his remarks, specifically for the CISO community. He offered that: "As an industry, we have a security effectiveness problem, in that the many vendor tools and processes within the SOC require significant effort to configure and tune correctly. Attackers know this and are able to attack at the seams of these tools."

That means that even though a company might spend millions of dollars on the latest security offerings such as SIEM, UDA, EDR, and the like, they shouldn't simply trust that these tools will successfully fend off attackers -- they must verify their effectiveness early and continuously.