The French philosopher Rene Descartes once said, “If you would be a real seeker after truth, it is necessary that at least once in your life you doubt, as far as possible, all things.” This quote underscores one of the guiding principles that drive our work at CYE: challenge assumptions – always.
It is no revelation that we are all being flooded with an endless barrage of information in essentially all aspects of life. Some have even coined the term “knowledge obesity” to describe this information overload. While it is true that there is no greater wealth than wisdom, the wisdom is only as valuable as the facts and authority upon which it is based.
Working in an oversaturated industry that is filled with so many options and choices, it is often difficult to rise above the noise and buzzwords in order to find real cybersecurity solutions.
Now, more than ever, it is important to separate the wheat from the chaff, or the real from the rest. Here’s what makes CYE real:
We never make assumptions
When assessing the security posture of an organization, we don’t make any assumptions. We don’t think that simply because certain security measures are in place that they are unbreachable. We challenge them anyway.
When we attack an organization, we act like hackers. We collect the information ourselves. We execute social engineering campaigns, collect passwords and bypass each and every one of the organization’s security controls — without the concept of whitelisting.
Unlike other cybersecurity providers, who limit their scope by only working with Windows environments, or by not working with the cloud, we believe that every organizational asset is within scope and part of the game. Limiting scope limits understanding and does not provide organizations with the ability to see the overall picture or the holistic view of their cybersecurity vulnerabilities.
As we have seen time and time again, attackers exploit the weakest links in the chain in order to infiltrate an organization. As a result, we leave no stone unturned and assess all aspects of the organization, including OT, IT, IoT, the cloud and so on.
We do not use “theoreticals” when executing an attack
When we talk about the execution and implementation of cybersecurity risk scenarios or threat scenarios, we go all the way — with the full coordination and consent of the organization. For example, when we take control over a domain admin account, we do not stop there and say: “okay, from here, theoretically everything is possible.” The domain admin account may be compromised, but we understand that practically, the distance and the difference between having account information and stealing from a bank account in a specific bank, for example, is quite significant. When we talk about stealing from a bank or taking down an airplane, we do not actually steal from a bank or take down a plane without authorization, but we demonstrate that we are, in fact, able to do so. This is, essentially, the closest an organization can get to experiencing a cyber attack without paying the consequences.
We take a fact-based approach
We provide fact-based, mathematical and quantitative solutions to our customers, which dramatically decrease their cyber risks. We measure risk reduction, while enabling our customers to use the quantitative information as part of their cybersecurity decision making – not in a theoretical way, but in a very practical way. We do this by measuring the external threat landscape (i.e. global threat landscape and what is happening in the world), as well as internal or organizational risks. We determine every organization’s attack routes and vulnerabilities, the probability of them being exploited and the potential business impact if such an attack were to be executed.
Moreover, we understand that when conducting security assessments, there is no “one-size fits all.” Rather, we look at each and every organization in a personalized and tailor-made way, providing our customers with a specific and dedicated platform that is based on their priorities, critical business assets and so on. What is critical for organization A, may be of little or no significance to organization B, and vice versa.
We provide practical and rational mitigation plans
We are not driven by the concept of compliance or by convenient checklists. While compliance is a necessary step toward improving security, we believe that it is simply not enough. Instead, we prioritize our customers’ most critical business assets in order to provide them with the most practical, efficient and cost-effective solutions for their businesses.
As CISOs watch and bear witness to even the biggest companies being breached as a result of not abiding by basic cyber hygiene, it is essential to take a real, fact-based and mathematical approach that constantly challenges assumptions. We have tried and tested our methodology for close to a decade; we have taken a “back to basics” approach, focused on returning organizations to their security foundations; and we have successfully provided our customers with real cybersecurity that puts them ahead of the curve. Ultimately, we believe that real cybersecurity is not a commodity, but an essential part of any organization and the most effective way of securing their most critical assets.