According to the 2020 Pen Testing Report, 97% of cybersecurity professionals surveyed felt that penetration testing was somewhat important or important to their organization’s security posture, with 95% also reporting that penetration testing was at least somewhat important to their compliance initiatives.
Despite this importance, 47% of cybersecurity professionals reported their organization hasn’t pen tested, or only ran tests one-two times a year. Oftentimes, this is due to a lack of an in-house team, or even a single pen tester on staff. However, what many of these organizations don’t realize is that they can still successfully conduct valuable testing to help prioritize security weaknesses and validate remediation efforts.
Read on to find out why some organizations don’t pen test, when you need an expert pen tester, and how automated tools can enable security professionals to safely run expert level tests.
Pen Testing Limitations: The Skills Gap and Limited Budgets
Hiring enough skilled personnel to perform pen tests was the top challenge (63%) to implementing and maintaining a pen testing program. Only 25% of those surveyed reported having pen testing teams with six or more years of experience. The shortage of professionals with the necessary skills and years of experience is a well-known problem within the cybersecurity community. In fact, according to the 2019 Cybersecurity Workforce Study by (ISC)2, 65% of organizations report a shortage in staff, and data indicates that the cybersecurity workforce needs to grow 145% in order to close the skills gap.
Additionally, 30% of those surveyed for the 2020 Pen Testing Report said that getting executive sponsorship and funding for a pen testing program was also challenging. While penetration testing services can be brought in to provide expertise, they are often only utilized once a year due to budget constraints.
Bridging the Gap: Automation and Simplified Penetration Testing
Even as initiatives are launched to help increase the number of cybersecurity professionals, it takes years for someone to become an expert. Does this mean that organizations have to wait to integrate penetration testing into their security posture? With the right strategy, the skills gap will not delay a business from deploying critical pen testing initiatives.
Not every test requires an expert. In fact, automated pen testing tools like Core Impact are ideal for simplifying the process so that a number of tests can be performed by team members that don’t necessarily have a deep background in pen testing. Core Impact’s Rapid Penetration Test (RPTs) are step-by-step wizards that safely guide a tester through exercises like validating vulnerability scans, network information gathering, privilege escalation, or even phishing simulations.
Certain aspects of pen testing can be quite repetitive. With automation capabilities, a complicated test, like exploiting a buffer overflow, can be streamlined and automated. It can be run manually by an expert once and saved as a module. The task is now automated, so any user could run it any number of times with a few simple clicks.
Additionally, general tests that validate remediation are also straightforward. An initial test completed by a third-party service may have revealed a number of security weaknesses. A beginning pen tester could run a follow up test to see if the measures taken to fix these vulnerabilities were effective.
Using Your Pen Testing Resources Strategically
Of course, expert pen testers are still a critical part of pen testing. For complex tests that require delving deep into different systems and applications, or running exercises with multiple attack chains, you’ll want a person or team with more experience. In order to test a realistic attack scenario, you’ll want a red team that uses sophisticated strategies and solutions similar to threat actor techniques.
Ultimately, the availability of expert pen testers is limited. And attackers won’t wait for the cybersecurity industry to catch up—they’ll continue to take advantage of these shortages as long as we let them. Overcome these limitations by leaving basic and repetitive tests to security team members who aren’t pen testers, so you can maximize time and benefits when you do utilize expert services. By combining these efforts, organizations can still run a healthy and effective pen testing program.