Moving beyond checkbox security for true resilience

In this Help Net Security interview, William Booth, director, ATT&CK Evaluations at MITRE, discusses how CISOs can integrate regulatory compliance with proactive risk management, prioritize spending based on threat-informed assessments, and address overlooked vulnerabilities like shadow IT and software supply chain risks.

CISOs face increasing regulatory pressure. How should organizations balance compliance requirements with proactive cybersecurity measures that go beyond mere compliance?

Compliance is a critical foundation, but it should be an organization’s cybersecurity strategy starting point, not the end goal. A ‘check-box’ approach may fulfill regulatory requirements, but it also can create the illusion of safety. Organizations that only achieve regulatory compliance are still exposed to sophisticated attacks that exploit vulnerabilities outside the strictly mandated areas. It’s important to adopt a proactive approach, anticipating, adapting to, and mitigating threats before they have impact.

CISOs should incorporate regulatory compliance into a broader cybersecurity strategy, ensuring it aligns with overall business priorities and risk tolerance. Once necessary compliance requirements are satisfied, take stock of your current defensive posture. Security controls should be mapped to real-world attacks, identifying gaps and enabling organizations to stay ahead of emerging threats.

Finally, investing in regular, rigorous testing is essential. Uncovering weaknesses before adversaries do is core to a resilient security posture. There are many free resources to help CISOs. For mapping, see Mappings Explorer. For regular, rigorous testing, see tools like MITRE Caldera.

How should CISOs prioritize cybersecurity spending to ensure optimal risk reduction?

A threat-informed and risk-based approach is paramount in an era of perpetually constrained cybersecurity budgets. Begin by assessing the organization’s crown jewels – sensitive customer data, intellectual property, financial records, or essential infrastructure. These assets represent the core of the organization’s value and should demand the highest priority in protection.

Next, a risk assessment must discern the most probable and impactful threats. Not every organization will face nation-state adversaries and prolific criminal groups, and ransomware may be a more likely threat, allowing for strategic allocation of resources. This targeted approach ensures spending is concentrated on mitigating the most significant threats.

Finally, regular evaluations tracking performance metrics highlight what is improving. For resource-limited organizations or those seeking to bolster existing security teams, managed security services offer a cost-effective avenue to augment capabilities and enhance overall security posture.

What are the most common blind spots in an organization’s attack surface that organizations often overlook?

Organizations frequently underestimate the risks from unmanaged devices, also called shadow IT, and within their software supply chain. As reliance on third-party software and libraries embedded within the organization and in-house apps deepens, the attack surface becomes a constantly shifting landscape with hidden vulnerabilities.

Unmanaged devices and unauthorized applications are equally problematic and can introduce unexpected and substantial risks. To address these blind spots, organizations must implement rigorous vendor risk management programs, track IT assets, and enforce application control policies. These often-overlooked elements create critical blind spots, allowing attackers to exploit vulnerabilities that existing security measures might miss.

Organizations like T-Mobile and Microsoft have recently made significant security investments. What lessons can CISOs learn from these large-scale security overhauls?

T-Mobile and Microsoft face incredibly dynamic and sophisticated threats. Their security investments speak to the risks and threats faced by organizations, threats that are not going away. They underscore the necessity of viewing security as a continuous, evolving landscape rather than a singular line. CISOs should see these investments as necessary and proactive commitments to continuous improvement. CISOs must conduct regular reviews and updates to security programs to ensure their organizations remain agile and resilient in the face of ever-evolving cyber threats.

Threat actors are becoming increasingly sophisticated. What are the top emerging threats in 2025 that security teams should prepare for?

Regardless of the trends, CISOs should assess the specific threats relative to their organization and ensure that foundational security measures are in place.

We see a rising threat from cloud-focused attacks. Increasing cloud adoption exposes new vectors and surface for attacks.

Additionally, the ransomware landscape continues to evolve and adapt, with attacks becoming increasingly targeted and intricate. Notably, the trend of data exfiltration before encryption is gaining traction, transforming ransomware into a dual-threat extortion scheme.