Cyber leaders say penetration testing is not foolproof

May 4, 2021

Research shows that while organizations invest significantly and rely heavily on penetration testing for security, the widely used approach doesn’t accurately measure their overall security posture or breach readiness — the top two stated goals among security and IT professionals. The research, conducted by Informa Tech and commissioned by CyCognito, surveyed enterprises with 3,000 or more employees and found that 70% of organizations perform penetration tests as a way to measure their security posture and 69% to prevent breaches, yet only 38% test more than half of their attack surface annually.

Many organizations are conducting penetration tests to detect and mitigate threats yet remain dangerously vulnerable. CyCognito’s research shows that when using penetration testing as a security practice organizations lack visibility over their Internet-exposed assets, resulting in blind spots that are vulnerable to exploits and compromise. Just as locking the front door of a house but leaving the back door and windows unlocked creates an attractive target, attackers will naturally focus on those IT assets organizations leave untested.

Key findings include:

It’s common for organizations with 3,000 employees or more to have upwards of 10,000 internet-connected assets, however 36% of survey respondents said that only 100 or fewer assets are covered by pen tests; 58% said 1,000 or fewer assets are covered by pen tests.
60% report that they are concerned pen testing gives them limited coverage or leaves them with too many blind spots
47% say that pen testing detects only known assets and not new or unknown ones
45% of respondents conduct pen tests only once or twice per year and 27% do it once per quarter, which is woefully inadequate given the fast pace of threat evolution and how quickly infrastructure/applications change .
79% believe that pen tests are costly. 78% would utilize pen tests on more apps if the costs were lower.
It takes 71% of respondents anywhere from one week to one month to conduct a penetration test. Then, more than 26% have to wait between one to two weeks to get test results, and 13% wait even longer than that.

Security leaders need to accept and act on this reality and take measured and thoughtful steps to mitigate the risk and train staff about the growing likelihood of such violent incidents in their facilities and workplaces.

In this webinar, we review the results of a benchmark study that asked security professionals about their past, present and future outlook on manned guarding. Want to know what your peers are saying about their weekly billed hours? Join us to find out!

Poll

Comparison Metrics

View Results

Poll Archive

Products

Effective Security Management, 7th Edition

Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics.

See More Products

Cyber leaders say penetration testing is not foolproof

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Cyber leaders say penetration testing is not foolproof

Related Articles

Related Products

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.