Caroline Wong is the Chief Strategy Officer at Cobalt, a cybersecurity company with a focus on Pentest as a Service (PtaaS).
getty
Cyberattacks are a lot like dice; each roll is independent from the next. And without proactively instituting preventative security controls, organizations are rolling the dice and leaving their luck up to cybercriminals, who will stop at nothing to uncover new ways to exploit vulnerabilities that leave organizations at their mercy (think high-profile security breaches like Colonial Pipeline and JBS of 2021 and the long line of cybersecurity attacks before and after them).
Proactive, preventative testing is critical for an organization’s security posture in today’s ever-evolving risk landscape. A tactic that often gets lumped in with the challenging, compliance-related “have to dos” is pentesting. However, when done effectively, pentesting (and addressing pentest findings in a timely manner) can be what prevents your organization from becoming the next security headline.
Here, I’ll dive into the challenges security teams often face with preventative testing and why pentesting (and PtaaS, which I’ll get into later) can help companies stop rolling the cybersecurity dice — and eventually leave the gambling table altogether.
Why Teams Still Aren’t Getting It Right
As security teams evolve their tactics for deterring cyberattacks, it’s become obvious that “multiple lines of defense” is a sound strategy. But even with the right goals and tools in place, there are issues that still routinely slip past security teams. In fact, recent data we collected shows that many security teams have been struggling with the same top five vulnerabilities for four years in a row. On the flip side, the high-profile cyberattacks of late are not vastly different in nature and execution from what we’ve seen happen over the past five years. Coincidence? Highly unlikely.
A reason why these issues continue to creep past security teams (and why cybercriminals are taking advantage) boils down to how accessible, quick and easy-to-implement preventative security tools are. You can have an extremely layered approach to preventive cybersecurity, but success hinges on getting that stack set up quickly, obtaining insights in real time and remediating issues accordingly.
When it comes to pentesting, one of the most critical pieces of the preventive cybersecurity puzzle, the sentiment across IT and security teams is that it has historically been inaccessible, slow and difficult to implement.
The Old Way Isn’t Cutting It
Traditional pentesting programs (a defined series of pentests designed to identify and remediate vulnerabilities in one or more assets) aren’t measuring up to a modern approach to software development.
According to Cobalt’s research, while 78% of security professionals agree that pentesting should be top priority for their teams, they test only 63% of their overall application portfolios, on average. The reason for this disconnect is alarming: More than 50% of security professionals believe that traditional pentesting is simply too slow to schedule. A notable 55% said they have to wait weeks for their pentest results — while 22% have to wait months — using traditional pentesting. These long wait times are significant, as they leave vulnerabilities undetected and can delay the development and deployment of new code to mitigate them.
To make matters worse, according to a recent Core Security study, hiring enough skilled employees to conduct the testing poses a big challenge. The old-school pentesting process makes security patching less accessible — and thus, less reliable.
Moral of the story? To effectively thwart increasing cybersecurity threats and meet modern development cycles, pentesting needs a facelift — with skilled talent on-demand and a simpler setup.
Enter PtaaS: A New Way To Assess And Protect
Traditional pentesting provides only a point-in-time snapshot of an enterprise’s risks, weaknesses and vulnerabilities, which is why the new and emerging pentest as a service (PtaaS) model is a game changer that will ultimately help organizations stop rolling the cybersecurity dice.
PtaaS allows organizations of all sizes to manage a scalable, efficient pentest program. A PtaaS platform integrates with security and development tools and enables real-time collaboration with pentesters.
On top of that, PtaaS also includes a historical view of past tests so enterprises have a more holistic view of their past security posture. Organizations can use this information to find, fix and prevent those top issues that keep getting missed.
Yes, we’re in the age of everything “as-a-service.” The reality? It’s high time that traditional security measures follow the SaaS revolution, further integrating into technology stacks and development processes versus acting as forced add-ons. This is how companies will up-level their proactive cybersecurity measures and combat the bad actors that have been wreaking cyber havoc for far too long.
Ask yourself the following questions to determine the best solution provider for you:
• What is the time-to-results? How long before I can begin a test and have results that I can put into use?
• How much does it cost? Can I afford to test everything that I need tested?
• What’s the likely impact on my organization’s security posture?
Data breaches will only continue to proliferate the headlines in 2022, according to new research from Check Point Software. Start the new year on a high note by taking time to assess whether you’re investing in the right security tools to identify vulnerabilities and mitigate risks.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
