For many CISOs and security leaders, a penetration test has become the same report year-on-year without any clear road map for practical change. In a poll taken during the webinar, 50% of the audience stated that their last penetration test lacked any actionable insights.
There is clearly demand for cyber security services that actually drive business value – so how can we get there? We've shared the key insights from our panel of experts below, or alternatively you can catch up on the full webinar recording.
Why do we need to talk about penetration testing?
- Pen tests have become quicker and cheaper, reduced to a checklist exercise in scanning, running generic tools, and then celebrating it – where is the real benefit for CISOs and companies?
- Vendors have lost sight of the original goal of a pen test which is to increase resiliency against attackers and to enable your security teams to do better.
- Pen test findings need to be applied to your business’s unique threat model to create actual security outcomes.
“Pen test vendors seem to ‘stack it high, sell it cheap’ and that worries me – I personally don’t trust there can be value from a price tag less than £10k. I want value but quality is what makes a pen test worth doing for companies and I wonder if the pen test sector understands that. There is this race to the bottom on price that manifests so many issues for customers due to lack of value.”
Matthew Bryant // 118 118 Money
What are the issues with current suppliers?
- Pen tests should lead to actionable improvements in security, and not serve as a vehicle for companies to solely tick a box.
- Shared learning for the CISO and security team is critical to the value of pen tests. Pen testers – the experts – should be bringing you unique insights and helping you address skills gaps in the team. If you’re getting a clean bill of health, you need to ask yourself, what was the benefit?
- Pen testing is no longer the collaborative, engagement and partnership that it should be.
- Vendors today approach it simply as a transaction, recommending ad-hoc compliance driven pen tests which won’t help you achieve your security goals.
What are effective approaches to penetration testing?
- Pen tests can be extremely valuable if they are intelligence-led. They should consider the rest of the business, create links and provide insights. A good pen test should help you communicate with the board security problems and issues, and your approach to addressing them.
- These tests should help you to continuously monitor and manage finite resources, and to form a strategic risk assessment that gives you an actionable roadmap.
- Currently a 'good' pen test is seen as a report with lots of bad findings. Pen test reports can also help to shine a light on the good work too, demonstrating to the rest of the business where processes are working and we’re getting it right.
- Many pen testers need to improve the post-testing period engagement, to help our teams to build better outcomes by understanding the findings and verifying that we’ve addressed them.
- Pen testers should take time to learn about your specific requirements and goals for the test, and have the ability to challenge you where needed.
- Take a purple teaming approach and your results will be better informed, and you will continuously train the blue team on what they might have missed.
- Make sure you have an actionable roadmap on steps to take next, and that it is aligned with your business maturity and staffing.
How can Secure Impact help?
Setting a new industry standard
- We are disrupting the industry with business-oriented cyber security services.
- CISOs and security teams have real challenges which likely won’t be solved with ‘silver bullet’ products, automated scans, or generic reports. Our penetration tests are business-oriented, bespoke to your risk profile, and geared to creating learning outcomes for your team.
- Our reports are tailored, accessible and will provide you with the insight and roadmap to make both immediate and longer term changes to improve your security maturity.
- Our GIAC certified team are the best of the best in the industry and have worked with defence, intelligence, FTSE 100 and Fortune 500 companies on some of the world’s highest profile cases. They will work with your team to create actionable shared learnings.
If you believe in these themes, have pen testing needs, or would like to have a chat with the team to learn more, please get in touch!