Managing the Security Unknowns

Donald Rumsfeld, former Secretary of Defense, said in 2002 during a press conference that there are “unknown unknowns—the ones we don't know we don't know.” His statement about unknown information is directly applicable to security professionals. Most CISOs understand that the first step in a security plan is to identify systems, people, assets, data, and capabilities in the organization. After all, you can’t secure what you don’t know about. The discovery process helps to move unknown assets and capabilities to the known category. But what about those items you think you have but cannot find? Or even worse – those you don’t even know to look for? This talk examines this problem in the context of security discovery and how to apply it to the CISO’s job of understanding and managing security risks.