Security Strategies in the Digital Age
1. Replacing Password-Authenticated Security Controls
According to CISO Marcus, AuditBoard has been gradually moving away from password-based security controls since 2024. Instead, the company is opting for dynamic authentication methods: "When we select a provider, we openly state that we do not accept static authentication methods like passwords or tokens. However, we must be realistic: if this is not feasible with certain products, the used passwords must be regularly changed. For us, static credentials have become the exception."
2. Penetration Tests with a Twist
Some security experts view penetration tests as an outdated strategy. For example, Attila Torok, CISO at GoTo, believes that tests conducted only once or twice a year to meet compliance or vendor requirements are ineffective: "This is not suitable for evaluating the actual security posture of a company. It is a snapshot. The environment at GoTo changes constantly, for instance, we change our code multiple times a day – a yearly penetration test would bring nothing but exorbitant costs."
Dynamizing Security
However, the security decision-maker is not entirely opposed to penetration tests. According to his statement, he has a team that tests the GoTo environment regularly for vulnerabilities: "A dynamic approach to pentesting is the better choice for environments that are constantly changing."
Frequently Asked Questions
Q: What is the primary security concern for AuditBoard?
A: AuditBoard is moving away from password-based security controls and opting for dynamic authentication methods.
Q: What is the view of Attila Torok, CISO at GoTo, on penetration tests?
A: Attila Torok believes that penetration tests conducted only once or twice a year are ineffective in evaluating the actual security posture of a company.
Q: What is the alternative to traditional penetration tests?
A: A dynamic approach to pentesting is recommended for environments that are constantly changing.
Q: What is the frequency of penetration tests recommended by the security decision-maker at GoTo?
A: The security decision-maker at GoTo recommends a dynamic approach to pentesting, with tests conducted regularly to identify vulnerabilities.
Conclusion:
The shift towards dynamic authentication methods and the reevaluation of traditional penetration tests are crucial steps in maintaining the security of organizations in the digital age. As companies like AuditBoard and GoTo adapt to the changing landscape, it is essential to prioritize security strategies that can effectively mitigate risks and ensure the protection of sensitive data.
