OASIS Summer Event: Red Teaming, Scorecarding, and Endpoint Security

This week, the Ham Yard Hotel in London became the hub for cybersecurity thought leaders as the OASIS summer event unfolded. Industry experts gathered to dissect pressing topics, with a particular focus on endpoint security, Red Teaming strategies, and the growing importance of cybersecurity scorecards. The discussions offered actionable insights for organizations striving to stay ahead of evolving threats.

Red Teaming: Beyond Technical Vulnerabilities

Mark Nicholls, principal security consultant at Context, kicked off the presentations by exploring the nuances of Red Team testing. He emphasized that this approach evaluates the entire organization, not just its technology. “Red Team testing can mean different things to different people,” Nicholls explained. “Ultimately, we’re testing the whole business and processes—attacking systems, people, and workflows to triage issues by severity.”

However, he noted that Red Teams often uncover non-technical problems, such as inadequate phishing training. “Our approach balances depth versus breadth,” he added. “We target people, processes, and technology, assessing an organization’s ability to detect and respond to an attack.” This holistic perspective helps companies strengthen their defenses from all angles.

Building a Cybersecurity Scorecard: A Proactive Approach

Next, Chris Strand, senior director of compliance and governance at Carbon Black, addressed the challenge of measuring security posture amid shifting regulations. With GDPR enforcement looming in 2018, Strand argued that a cybersecurity scorecard is essential. “No matter your role—board member, CISO, or analyst—regulations affect you,” he said. “Every security incident triggers new policies or stricter standards.”

Strand outlined nine steps for creating an effective scorecard, from defining business objectives to reporting critical controls. “Scorecarding reduces liability and provides security assurance, not insurance,” he stressed. “Assurance is proactive; insurance is reactive.” This framework helps organizations present complex security data in a clear, actionable format.

Key Components of a Risk Scorecard

Strand’s nine-step process includes identifying stakeholders, applying a framework like NIST, and enforcing policies. By collecting data based on these policies, companies can report on critical security controls. This structured approach ensures that security efforts align with business goals and regulatory demands.

Endpoint Security: The Persistent Weakness

Adam Bridge, senior intrusion analyst at Context, closed the event with a sobering look at how breaches occur. He highlighted that most companies learn of compromises through third parties—such as banks or ransomware messages—rather than internal detection. Phishing attacks remain the top vector, followed by drive-by downloads and malvertising.

Bridge lamented that organizations still neglect endpoint security. “Defenders are improving, but things remain pretty bad,” he said. “Companies invest heavily in network perimeter defenses but forget the endpoint.” Relying solely on firewalls and antivirus leaves organizations vulnerable. “Endpoint protection complements other technologies; it doesn’t replace them,” Bridge concluded. Without it, businesses lack a critical layer of defense.

For more insights, explore our guide on cybersecurity strategies or learn about Red Teaming best practices.