I've just had a discussion with a fellow Head of Cybersecurity around vulnerabilities and two things struck me that people need to understand: firstly, vulnerabilities have different states and secondly, scanning tools don't have all the context so can't actually tell you what risk you are running. Our discussion started with a statement from them that vulnerabilities are black and white - they're either there or not. It's actually a bit more nuanced than that though. Without making this more complicated than it needs to be, inherently there are two states a vulnerability can be in: exploitable or unexploitable (sometimes called active or dormant with other subtleties). This doesn't mean that they are being exploited, but that it is either possible to exploit the vulnerability in the current configuration (however hard that may be) or it isn't without some other change happening first. In our discussion, my peer argued that if it is unexploitable then ther
I often get asked what I look for when hiring security professionals and my answer is usually that I want the right attitude first and foremost - knowledge is easy to gain and those that just collect pieces of paper should maybe think about gaining experience rather than yet more acronyms. However, it's difficult to get someone to change their mindset, so the right attitude is very important. But what is the right attitude? Firstly, security professionals differ from developers and IT engineers in their outlook and approach, so shouldn't be lumped in with them, in my opinion. The mindset of a security professional is constantly thinking about what could go wrong (something that tends to spill over into my personal life as well, much to the annoyance of my wife). Contrast this with the mindset of a developer who is being measured on their delivery of new features. Most developers, or IT engineers, are looking at whether what they have delivered satisfies the requirements fr