Michael Rozin (MR), President of Rozin Security Consulting LLC., has kindly agreed to speak to Human Risks (HR) ahead of his conference sessions at this year’s Global Security Exchange (GSX), Florida, US. Michael has 20 years of experience in the Security industry and is an anti-terrorism specialist. Previously Michael was a Special Deputy at Hennepin County Sheriff’s Office and was a Professor and Course Director at the University of Minnesota.
To attend Michael’s GSX events, click the below links:
Red Teaming: The Key to Effective Security: Monday 27th September, 11:30 AM – 12:30 PM Eastern Time (US & Canada)
Large Venue Protection in 2021: Monday 27th September, 3:30 PM – 4:30 PM Eastern Time (US & Canada)
Human Risks talks about Red Team Testing with Michael Rozin
HR: How often should organizations undertake Red Team Testing?
MR: The frequency of red teams should be based on the critical assets an organization has. It is recommended that each critical asset is red-teamed once a year.
HR: What are the top three crucial factors to consider before running a Red Team Test?
MR: It is critical to define what asset will be red-teamed, what potential threat element the red team is attempting to simulate, and what domain of security measures (physical, technological, or operational) will be the focus of the red team.
HR: Are there certain industries that need to Red Team Test more often than others?
MR: The higher the organization’s overall risk, the more frequent red teams will be beneficial to the organization. The higher-risk organizations such as Government facilities, high-profile Fortune 500 corporations, controversial political organizations, defense industrial base sector, and transportation systems sector require more frequent red teams.
HR: How do you ensure that the Red Team Tests you run are effective at testing the system?
MR: By bringing an innovative, creative and skilled team of red teamers who are closely familiar with the threat element chosen to be simulated and are willing to attempt to target every possible security measure that protects the targeted asset. This is done by ensuring the red team is using physical, technological, and human resources.
HR: During your career how has Red Team Testing evolved?
MR: The development of new technology has evolved the red team operations. Today the red teams can be done solely virtual, and even the physical red teams rely heavily on various technology commercially available on the market. Only 10-15 years ago, many of the red teams I have conducted were primarily physical.
HR: What future challenges can you foresee as key threats that Red Team Testing will need to overcome in order to remain effective?
MR: With the abundance of new technology, I have seen many corporate red teams step away from the social engineering and critical physical red team methods and rely primarily on technological red teaming. However, we have noticed that aggressors continue to leverage vulnerabilities in physical, technical, and operational domains.
HR: How can technology and AI benefit the Red Team testing process?
MR: There are two types of red teams, analytical and physical. When it comes to the analytical red team, the AI can help compute scenarios and assign a probability to each scenario that could significantly enhance the process. On the physical side, the technology can dramatically improve the gathering of critical operational information about the targeted location and asset.
HR: Do you think that Legislation, Regulation and Governance does enough to ensure effective Red Team Testing? If not what more could be done?
MR: Sadly, there is not enough regulation when it comes to this very critical security discipline. I think when it comes to federally regulated entities, the red teaming should be added as a mandatory component of an effective security operation. The level of red teaming and its frequency should be based on the required level of protection and should fall in line with the Unified Facilities Criteria standards.
HR: Does Red Team Testing and measuring help Security Managers present a more robust ROI business case?
MR: I believe Red Teaming is one of the most effective ways to truly measure ROI. Theoretical assumptions about the effectiveness and need of specific security measures are nowhere near as effective as practical evidence of the effectiveness or ineffectiveness of certain measures and the consequences of such for the assessed critical asset for any organization.
HR: If you can offer any advice to an organisation aiming to set up Red Team Testing, what would it be?
MR: I think every organization with a medium to high-risk profile should have a red team operation. Start by designing a concept of operation (CONOPS) of the planned red team department and engage with someone who has experience designing and executing red teams to avoid unnecessary mistakes. Identify specific roles, and skill sets necessary for your red team based on your CONOPS. Ensure the entire team is uniformly trained on your CONOPS, methodology, and techniques. Start by executing small, easy red teams before going after more complex and very challenging red team operations.
HR: What three top tips can your offer to Security Managers when it comes to assessing organisational risk in these volatile times?
MR: Ensure the threat assessment part of your risk assessment is effective and in line with the emerging and active threats. Perform the risk assessment once a year, and ensure the assessment is centred on the organization’s critical assets.
Thank you Michael for taking the time to share your experience and views with us. We wish you all the best of luck with the GSX conference. To book a place at this year’s GSX conference click here.
For further information on Michael Rozin’s work click here.