Bob Maley, CISO for the Commonwealth of PA, has made some extrodinary progress in managing IT security risk via the adoption of automated penetration testing, as evidenced by his recent speech at the RSA Conference 2009.

If you’re looking for an argument to present to your IT security management staff, CISO, CIO or anyone else who might ask for the explicit dollar value that adding automated penetration testing to your security and vulnerability management programs can deliver, boy, have we got the guy for you.

I finally had the chance to meet one of Core’s most valued customer references this week –  Bob Maley, Chief Information Security Officer for the Commonwealth of Pennsylvania – at the RSA Conference 2009 where he was presenting on the “Lessons Learned” track on the topic of “Defending Citizen Data: Proactively Preventing Government Breaches.”

And let me tell you, in addition to being one of the most candid, pragmatic security executives that you could ever care to meet, he’s also one heck of a super nice guy.

But beyond the personal pleasantries, even those of us who work for Core and have become familiar with Bob’s story over the last few years were pretty surprised when we saw some of the improvements and metrics that Bob and his team have been able to achieve using CORE IMPACT Pro, along with source code analysis and vulnerability scanners, under the state’s current programs.

Overall, Pennsylvania’s ability to drive down its electronic record exposure incidents, and some of the financial metrics that Bob can tie to that work, are actually pretty staggering.

Basically, when he got his job three years ago, Pennsylvania had no capability for even finding or reporting security vulnerabilities in IT systems, such as the many public-facing Web applications through which the state gathers and distributes information to its constituents.

Unfortunately, the reality, Maley said at RSA, was that the state’s security team had not really even begun to move down the vulnerability management path.

But then the attacks on its Web sites started in earnest a few years ago, including SQL injection campaigns coming out of China, forcing the state to report a total of 500,000 stolen citizen and employee records during 2007.

And while the public attention that those incidents generated was painful for his department, the spotlight on data protection allowed Maley to make some radical changes to the way that IT security, specifically Web apps security, was being handled in his state.

Big changes – Serious results

By adopting a more proactive approach and penetration testing applications both before they went live and then again on an ongoing basis, specifically using CORE IMPACT Pro, the state saw a massive improvement.

To note, Pennsylvania dropped its total volume of exposed records to only 212 files during 2008. So far, in 2009, the state has only had 2 sensitive records compromised, the CISO contends.

And if those numbers aren’t enough to impress you, consider this: Using IMPACT Pro and other vulnerability management technologies throughout ’08, Maley said that Pennsylvania managed to find additional vulnerabilities that could have allowed data thieves to make off with some 408,000 sensitive personal records.

If you apply Gartner’s estimate that it costs an organization a minimum of $90 per lost record to inform affected individuals and provide those people with data monitoring services and the like, that means that the state saved over $37 million by finding those flaws before the bad guys could.

Using a more aggressive number – such as the $200 per record expense figure published by Ponemon Research in 2009 – Maley and his team might have saved Pennsylvania over $82 million in associated costs in one year alone.

And financial savings haven’t been the only benefit of adding penetration testing and other vulnerability management functions to their security programs, the CISO said. By implementing the solutions, the state has also been able to refine its entire applications development process. 

Whereas several years ago his security team, among others, was only being informed about new applications in development only a week, or several weeks ahead of deployment, now they’re being involved in the upfront planning years in advance, allowing the state to save time and money not just on security issues, but also in relation to its entire applications management program, from initial development through to de-commission.

“Through penetration testing, vulnerability scanning and source code analysis we’re trying to change our entire culture with this process; we’ve put a strategic plan in place and we’re moving toward a result of changing how applications are put out on Web,” Maley told the crowd at RSA. “We’d been fighting a losing battle, with all of the applications, with the size of the government, we didn’t know how to get our hands around the problem; now, anyone buying software or developing applications in house needs to initiate this process at the design phase.”

And of all the technologies PA has had at its disposal, Bob specifically highlighted automated penetration testing as one of the most important contributors to the state’s improved process and workflow.

“Penetration testing safely exploits vulnerabilities and eliminates false positives; we love scanning but it generates huge reports and when we give that information to remediation, it’s too much data, nothing ever gets done,” Maley said. “Now, we can show them how these problems can be compromised, to get immediate results so we can fix critical issues quickly; automated tools were key, we would have never had the same results without that.”

These are the kinds of things we’re constantly trying to communicate through our marketing efforts.

But, it means so much more when our customers deliver the message.