When I was a CTO running a data center, I used to ask my ops team to do the shotgun test. They had to imagine our worst enemy came into the data center with a shotgun with one slug. What could they destroy to do the most damage? (I didn’t realize until recently that this was a modified version of Netflix’sChaos Monkeytesting approach.)
Lately I’ve wondered what the cybersecurity equivalent of the shotgun test is. How could you even do such a test? The fact is, without an understanding of your weaknesses, it isn’t possible to see what your worst enemy would do to you.