In his latest security blog, Yaffe says: "Could it be any clearer that information security approaches that focus on defensive tactics just aren't working? How many times do we need to open the Wall Street Journal and see a headline about how yet another company has had sensitive consumer information stolen?"
"In just the past [few days], we've spoken with several national reporters and many companies who want to know what can be done to control the escalation of major breaches. Our answer is pretty straightforward: pro-actively test yourself and find the problem before someone else does", he adds.
Yaffe argues that it is now time to go on the offensive with security.
With all of the coverage on cyberattacks affecting major corporations, most recently Citigroup, he says that the question that comes to mind is: "Why are companies so hesitant to perform regular security testing?"
"By security testing, I mean using safe attacks (the kind that give you access but don't cause any damage) to pro-actively see if you can break into your own infrastructure. Basically, you figure out if you have a hole that would allow a bad guy access and fix it before they figure out a way to leverage it", he explained.
According to the Core Security director, he has more than 1,300 customers who are testing their security in real-time for breaches - but, he asks, what about the other tens of thousands of companies that aren't?
Yaffe goes on to say that, he thinks that, if you ask many organisations why they aren't pro-actively testing their security, the answers coming back would boil down to a few simple issues - most notably, security information can be overwhelming and showing where you have a problem is a scary proposition.
A lot of organisations, he asserts, do not want to admit to themselves (or their management) that they are not perfect and/or then have to allocate the resources needed to fix the problems.
"Plausible deniability is an easy route for too many people. Some organisations are worried that you might leave a service unavailable during this testing, which admittedly is a possibility", he says.
"However, there are best practices to maximise service uptime, like working with the asset owner before the test, testing in the lab, testing a staging environment, or testing during a maintenance window - just do it at a time of your choosing", he adds.