Sprawling IT infrastructures spanning across on-prem and cloud environments give attackers today more opportunities than ever to exploit organizations' critical assets. Without an up-to-date and clear line of sight into this complex terrain, organizations are finding themselves at a disadvantage when it comes to managing their exposure and mitigating exploitable gaps in their security.
Pentera’s 2024 State of Pentesting Report found that despite investing in an average of 53 security solutions across the enterprise, over half (51%) of enterprises reported a breach in the past 24 months. Only 7% of those reported no significant damage as a result, whereas 93% reported unplanned downtime, data exposure, and or financial loss. It’s clear that more technology doesn’t guarantee improved security, and organizations need to find ways to improve the effectiveness of their security programs.
Our data shows that there remains a serious frequency gap between the rate at which changes occur within IT infrastructure and the rate of security validation testing. Almost three-quarters (73%) of organizations report changes occurring to their IT environments at least quarterly. Yet only 40% report pentesting at the same frequency. At this rate, organizations are leaving themselves open to risks for extended periods of time.
Emulating the tactics, techniques, and procedures (TTPs) that threat actors are using in the wild, pentesting and red-teaming exercises provide security teams with crucial intelligence about the performance of their existing security controls. Given the dynamic nature of today’s IT networks, consistent access to these insights would be a major boon towards identifying and remediating exploitable security gaps before they are exploited. Yet Pentera’s State of Pentesting Report shows that 60% of organizations still only pentest twice per year at most. Only 1% of CISOs report they do not think they need additional pentesting, making it clear that organizations want to test their attack surface more often. So the question becomes, what’s stopping them?
Let’s examine the following barriers to traditional security testing measures with the goal of securing today’s incredibly complex and sprawling attack surface.
Security Cannot Impact Business Continuity
It’s likely that many organizations that engage in pentesting have suffered a network disruption as a result at some point, and the institutional memory of such incidents is strong. Above all, security teams are tasked with preventing downtime from attacks, so to have it happen from testing exercises leaves them understandably cautious. More than a third of CISOs (39%) report that the risk to business applications and/or network availability prevents them from increasing pentesting frequency.
While network downtime can have an impact on a number of levels, when an in-production system is disrupted, the impact to the bottom line is a chief concern. This is common in many industry verticals, including but not limited to retail, ecommerce, and banking/finance. In many cases, CISOs attempt to run a pentest on a digital twin – a.k.a. a non-production copy of the environment– however, the results from any test outside of a real production environment are a simulation of what could happen, but not true to life. These tests don’t accomplish what true pentesting sets out to do: Showcase how your security can be circumvented across your live environment.
CISOs must research and find pentesters who have a high level of skill in working with the type of environment their organization operates. They each have varying and specialized skill sets. For example, a pentester who is excellent for on-prem networks may not be experienced with cloud environments (or vice versa). Ultimately, the more experience, the less likely they are to make a simple mistake that causes network downtime.
The Need for Skilled Cyber Talent Includes Pentesting
Consistent with findings from the 2023 State of Pentesting Report, the availability of pentesters remains a top challenge for organizations in 2024, with 41% of CISOs citing this gap in pentesting expertise as a roadblock. As we mentioned, traditional pentesting requires highly skilled personnel with deep knowledge of the environments they are operating in. Finding experts that CISOs trust to test on a more frequent basis can be challenging given the high demand for their skills in the market. The scalability of such a plan would also be questionable due to the cost of each assessment.
As with most industries, automation is playing a larger role in the world of pentesting. Automated solutions enable organizations to scale their pentesting practices, and reap the benefits of the attacker’s perspective on an on-demand basis, rather than waiting for their bi-annual testers. Unlike traditional pentesting, which covers 10-15% of the network over a two-week period, automated solutions enable organizations to cover their complete environment in a far shorter timeframe.
The rate of change within the organization’s IT environment dictates that we move faster. What was flagged as an exploitable gap last month may not exist anymore, and new exploitabilities will likely have come into being. Organizations need to have an accurate view of their environment and the associated exposures, at any moment and any scale. With the introduction of Continuous Threat Exposure Management (CTEM), organizations' security validation and testing are expected to become continuous practices, making automation in these processes a must have.
Organizations Lack Resources to Remediate
There is a growing sentiment among CISOs that they cannot increase pentesting due to their lack of resources for remediation. In 2023, only 21% reported a lack of internal resources for remediation as a barrier to pentesting. This year, our data shows the number leapt to 36%. This was rated a primary concern specifically amongst smaller enterprises, who have smaller teams who handle such tasks.
Over 60% of enterprises report they receive at least 500 incidents requiring remediation weekly, which means that patch perfection has never been more elusive. While the perception is that more testing will lead to more issues to remediate, those issues are there whether you test for them or not. What changes is your ability to focus effectively. Pentesting more often actually helps with the efficiency of security. Unlike traditional vulnerability management (VM) solutions which enumerate every potential vulnerability in your environment, each vulnerability on a pentesting report has been proven to be exploitable within your environment.
Testing your security against the latest attacks, pentesting helps security hone in on the small percentage of exploitable gaps within your existing landscape among the hundred or thousands of “potential” vulnerabilities that aren’t impactful in your environment due to mitigating or compensating controls. The ability to isolate this smaller percentage of exploitable vulnerabilities enables security teams to efficiently and effectively reduce the exposure within their environments.
The Future of Pentesting
Ultimately, security must be effective at preventing attacks, and pentesting has too much value to add to security to limit its usage to only twice a year. Pentesting enables security teams to see their environment from the attackers perspective, and stress test their defenses to proactively identify and remediate exploitable gaps before threat actors have a chance to use them.
According to Gartner’s Hype Cycle for Security Operations, 2023, “Security and risk management leaders must develop strategies centered on business risk instead of just adopting new ways to do the same things better.” The security teams who can efficiently understand the context of a vulnerability, its compensating controls, and the data it leads to will be the ones to stay in the game. Improved pentesting and security validation practices are the keys to this equation.
Like any change in process, this can and should be a phased approach. Trying to “boil the ocean” will only result in failure. Proactive security validation will enable the business to function properly, stopping attacks before they can come to pass. This can be done by focusing on critical business assets and working to grow that program “outwards” to the rest of the business.
The question of “how often?” will vary. However, we want to naturally align to existing business processes such as change management, decreasing the gap that was stated earlier. Ultimately, we want our security validation program to resemble proper business continuity backup plans: testing regularly. When we test regularly, we are confident. When we are confident, the business can focus on business initiatives.
Barriers do not have to be barriers forever. Understanding them, and working with the business can illuminate ways to overcome them to make sure that the security program is in a ready state. I speak confidently as I see more organizations adopt this mindset. I look forward to a better future where we all stay a step ahead of the attackers, instead of being on our heels.
