Another factor that keeps CISOs from incorporating more offensive security into their strategies is concern about exposing vulnerabilities they don’t have the ability to address, Mellen adds. “They can’t unknow that they have those vulnerabilities if they’re not able to do something about them, although the hackers are going to find them whether or not you identify them,” he says.
Still, Mellen and others contend that it’s critical for CISOs to implement and expand OffSec measures now as hackers increasingly leverage AI to launch more targeted and more sophisticated attacks at a faster clip. To counteract hackers’ growing capabilities, experts say CISOs must become faster in identifying and closing security gaps — which is exactly what OffSec enables CISOs to do.
“Offensive security is more important than it was before, because threat actors are using AI-enabled tools to develop attacks we haven’t experienced before. Back when hackers were using script kiddies, attacks were fairly predictable,” says Aimee Cardwell, CISO in residence at tech company Transcend and former CISO of UnitedHealth Group. “Now hacks are so esoteric, they’re almost hard to understand. And if you’re only relying on scanning, you’re not catching potential vulnerabilities early enough or at all. You need to continuously be looking for them through offensive security.”
