Cyber leaders say penetration testing is not foolproof

May 4, 2021

Research shows that while organizations invest significantly and rely heavily on penetration testing for security, the widely used approach doesn’t accurately measure their overall security posture or breach readiness — the top two stated goals among security and IT professionals. The research, conducted by Informa Tech and commissioned by CyCognito, surveyed enterprises with 3,000 or more employees and found that 70% of organizations perform penetration tests as a way to measure their security posture and 69% to prevent breaches, yet only 38% test more than half of their attack surface annually.

Many organizations are conducting penetration tests to detect and mitigate threats yet remain dangerously vulnerable. CyCognito’s research shows that when using penetration testing as a security practice organizations lack visibility over their Internet-exposed assets, resulting in blind spots that are vulnerable to exploits and compromise. Just as locking the front door of a house but leaving the back door and windows unlocked creates an attractive target, attackers will naturally focus on those IT assets organizations leave untested.

Key findings include:

It’s common for organizations with 3,000 employees or more to have upwards of 10,000 internet-connected assets, however 36% of survey respondents said that only 100 or fewer assets are covered by pen tests; 58% said 1,000 or fewer assets are covered by pen tests.
60% report that they are concerned pen testing gives them limited coverage or leaves them with too many blind spots
47% say that pen testing detects only known assets and not new or unknown ones
45% of respondents conduct pen tests only once or twice per year and 27% do it once per quarter, which is woefully inadequate given the fast pace of threat evolution and how quickly infrastructure/applications change .
79% believe that pen tests are costly. 78% would utilize pen tests on more apps if the costs were lower.
It takes 71% of respondents anywhere from one week to one month to conduct a penetration test. Then, more than 26% have to wait between one to two weeks to get test results, and 13% wait even longer than that.

How can you advance your career in the security industry with the skills and competencies necessary to benefit your organization? What will the security executive and the security function of the future look like? Join us as we hear from veterans in the security industry about their experiences, their lessons learned, and best practices for advancing their careers.

Security measures today tend to focus on controlling access, albeit with limitations. Many organizations, for example, know how many people have entered a secure location, but not how many have left.

Cyber leaders say penetration testing is not foolproof

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.

Cyber leaders say penetration testing is not foolproof

Related Articles

Related Products

Related Events

Get our new eMagazine delivered to your inbox every month.

Stay in the know on the latest enterprise risk and security industry trends.