Security professionals have always been told to “think like the enemy.” This philosophy could start with a series of questions like: How could an adversary gain a foothold in one of our systems? How would they circumvent our security controls? How would they find and exfiltrate our sensitive data? Armed with knowledge about what an adversary would do, security teams could then design countermeasures to impede or even stop the bad guys in the tracks.
Good strategy, but most security professionals don’t have the knowledge or skills to take an adversary’s perspective. CISOs, recognizing the value of thinking like the enemy, have overcome this deficit by conducting penetration testing or red teaming exercises, attacking themselves to test their defenses.