CISO Commentary: Budgeting for Offensive Security
Recently, Core Security released the 2024 Penetration Testing Report, which shares the results from an annual survey of cybersecurity professionals on their experiences with offensive security strategies and solutions. In this series, we’ll take a deeper dive into some of the most noteworthy findings from the survey, with expert insights from Fortra’s CISO, Chris Reffkin, and Lead Product Manager for Infrastructure Protection, Pablo Zurro. In the first installment, we looked into the optimal frequency of pen testing. In this second installment, we’ll discuss how organizations can pen test within their budget, and why offensive security can ultimately be a cost-effective strategy.
A Common Concern: The Cost of Offensive Security
According to the 2024 Penetration Testing Report, lack of funding was the most common reason (28%) respondents did not conduct penetration tests. Cost was also a top concern when evaluating pen testing tools (73%) and other proactive solutions (75%). With cybersecurity becoming an increasingly cumbersome task, it is unsurprising that resource allocation is growing progressively more challenging. How can organizations ensure that they’re remaining economical in their proactive security strategy without sacrificing efficiency?
Laying a Foundation by Testing the Crown Jewels
Reffkin recommends starting small if you’re working within significant financial constraints. You don’t necessarily have to cover the entire footprint of an organization all at once. Instead, take a phased approach and begin with pen testing your most essential assets. Each organization has a set of “crown jewels” – mission-critical data, systems, and resources that allow the business to function effectively and successfully.
These assets typically include sensitive information that cyber-attackers are sure to target, but often look different depending on the industry and individual organization. For example, e-commerce may want to ensure that their secure payment gateways and customer data is secure to prevent fraud. Manufacturing may want to safeguard their industrial control systems (ICS) and operational technology (OT) to make sure production is not interrupted. And healthcare companies want to protect patient data and ensure patient safety by testing indispensable medical IoT.
Starting Small to Enable Data Driven Decision Making
One big reason proactive efforts are difficult to secure funding for is the fact that their ROI is so abstract. How do you quantify events you prevented from ever happening? Reffkin and Zurro point out that by testing the most crucial parts of your infrastructure, you are also building a business case that can demonstrate the need for additional funding to add further testing phases to an organization’s offensive security strategy. When running these tests, whether they are done by internal pen testers or a third-party, be sure to have thorough reports to help illustrate the benefits of these assessments.
Reffkin underscores the importance of how these results can show decision makers that even when protections are in place, we simply don’t know how they will endure and what the potential fallout could be unless we put them to the test. Just as engineers evaluate how building materials hold up under extreme conditions to see if they can withstand natural disasters, pen tests increase the strength and efficacy of cybersecurity controls by identifying weak points before they’re put under real duress.
Proactive Testing to Reduce Reactive Spending
Discussing the results of a pen test is also an opportunity to compare the potential fiscal consequences of an attack versus the expense of offensive security. These could include the loss or theft of sensitive data and disruptions in operations (not to mention loss of customer confidence) that could require months of costly recovery efforts. Detailing the potential damage a vulnerability could have caused had it not been found during an assessment is a useful way to show ROI.
Reffkin encourages emphasizing the risk of “not knowing what we don’t know.” Whether a small start-up or a large enterprise, no organization possesses the capacity to provide unwavering surveillance of every facet of the complex technical environments that are integral to contemporary business practices. There will always be vulnerabilities that emerge unexpectedly and forever day threats that will persist. In accepting that no infrastructure is flawless, there must also be the implementation to close gaps and minimize risk where possible.
Ultimately, these assessments are not merely a readjustment in financial planning, they are a paradigm shift that encourages prevention in addition to and ahead of response. Pen testing and other proactive solutions like vulnerability management and red teaming are the mechanisms for this proactive mindset, providing a roadmap towards a more resilient infrastructure.
Get more insights from the 2024 Pen Testing Report
Learn about different approaches to, common challenges with, and the overall development of offensive security from an annual survey of cybersecurity professionals.