Covid-19 threw the spotlight on cyber security like never before. The unprecedented global shift to remote working and subsequent surge in cyber crime drove a priority focus amongst business leaders to ensure a robust cyber security posture across every part of their newly extended network. Many organisations had to make this transition rapidly, which increased the likelihood of misconfigurations and other errors, while the drastically increased attack surface presented fresh cyber security challenges around remote network connections, VPN connections, phishing, and many other types of network attacks.
Ensuring adequate protection against this wave of new security threats facing every size and shape of business became paramount, and challenged CISOs to balance reduced budgets and staff against the requirement for increased technology investment. Within this, penetration testing has played a vital role in ensuring organisational security throughout the pandemic, providing value not only in testing and measuring security posture, but also in identifying and prioritising high-risk security vulnerabilities and ensuring compliance. But have CISOs focused sufficient resources on penetration testing, and have such investments worked to deliver the clear vision for overall cyber security strategy that penetration testing promises?
Penetration testing, also called pen testing or ‘ethical hacking’, is the practice of uncovering and exploiting vulnerabilities on a computer system, network or web application in order to determine the security level such assets are and to intelligently prioritise risk. Gartner has identified pen testing as a key cyber security strategy for 2021. By testing an organisation’s infrastructure, pen testing provides insight on security weaknesses and how an attacker could gain access to these different types of data. Additionally, these tests can also verify that other mandated security measures are in place or working properly and provide proof of this adherence to auditors.
Creating and rolling out an effective cyber security strategy
In our recent second annual Penetration Testing Report, which canvassed 300 cyber security professionals across the world, we identified that the value of pen testing was easily agreed upon, with 91% of respondents noting that penetration testing is at least somewhat important to their security stance, with 75% of respondents testing to measure security posture and to support vulnerability management programs. And yet, the majority of respondents confirmed that testing takes place only one or two times a year, (53% confirming only once, annually) suggesting a mismatch in beliefs and day-to-day best practice.
Every organisation has some type of data that is vulnerable, and given the widely reported sizeable consequences of cyber attacks, it is worth giving greater consideration to either understand what might be driving this mismatch or to justify overconfidence, given CISOs risk culpability for not acting on identified issues.
Where budget cuts under Covid-19 and lack of executive buy-in are accepted as core challenges to CISOs (50% of respondents noted the inability to get organisations to act on findings), skillset gaps and inattention to pen testing findings are perilous in today’s security climate. Further, there is a straightforward path to remediation through investment in internal and external talent resource and/or the right pen testing technologies.
How to empower your chief information security officer (CISO)
Today, the evolution and advancement of the penetration testing field has delivered much flexibility in the many ways tests can be conducted — internal teams, third-party teams, automated pen testing tools, etc. And pen testing can be done to match any scale or budget. For example, pen tests can be strategically scoped to focus on the most critical systems within an organisation.
While third-party pen testing teams are recommended for verifying compliance or conducting particularly complex tests, in-house teams deliver consistency in process, ensuring that compliance and security are continuously maintained.
Investment in internal pen testing staff (who can test more frequently) means that security weaknesses can be uncovered faster, which boosts confidence in security stance. In fact, only 31% of businesses without an internal team felt confident in their security posture. As organisations begin to recover post pandemic, pen testing tools can offer a flexible and viable solution to businesses, which can enhance pen testing processes and provide the most critical day to day support to internal teams.
Interestingly, in our report, just 1% of respondents indicated they don’t use any type of penetration testing tool, which clearly demonstrates how crucial solutions are to the pen testing process. While there is a split in CISO preference between enterprise and open source tools, all recognise the complexity of the testing process and the need for a full tool stack to cover all needs. An overwhelming majority look for centralisation, integration and automated reporting functionality so that testers can have a more streamlined experience, easing prioritisation, remediation, and evaluation for compliance.
Today, it is critical that organisations invest in adequate pen testing processes so they can tailor their program to suit their individual needs and available resources. With issues like compliance and remote work being high on the agenda for many businesses, pen testing shows every sign of remaining a crucial practice for years to come.
Putting your organisation to the test on a regular basis is still the best way to ensure you’re continuously reducing your cyber risk exposure, and pen testing can provide both short- and long-term value by identifying priorities for critical remediation and playing a central guiding role informing overall cyber security strategy.
