Vulnerability Assessments: Are You REALLY Doing Them?

IoT Security Theatre

Wed 26th Sep 01:40 to 02:10

Many organizations don’t do vulnerability assessments (VAs), though they may do things that they THINK are VAs. While potentially useful, activities such as penetration testing, “Red Teaming”, security surveys, security audits, compliance checking, feature analyses, threat assessments, Risk Management, DBT, fault/event tree analysis, software assessment tools, etc. are not vulnerability assessments.

They often fall short of the security benefits that a good VA can provide. This talk discusses why VAs are so important and how to do them. Unconventional security metrics and insider threat mitigation in the context of effective VAs will also be covered. The speaker is a professional vulnerability assessor with 30 years of experience.

What you will take away from this session

  • Why Vulnerability Assessments are better than pen testing, “Red Teaming”, security audits, threat assessments, etc
  • The questions a Vulnerability Assessor asks, and you should, too!
  • Some unconventional approaches to security metrics & insider threat mitigation
  • Why “Compliance-Based Security” is an oxymoron


Photo Speaker Name Profile
Roger Johnston Roger Johnston View Profile