Survey Shows Validation of Security Control Effectiveness is Primary Reason for Penetration Testing, While 47 Percent Admit to Just Meeting Regulatory Compliance
Survey Shows Validation of Security Control Effectiveness is Primary Reason for Penetration Testing, While 47 Percent Admit to Just Meeting Regulatory Compliance
[August 15, 2018]
Survey Shows Validation of Security Control Effectiveness is Primary Reason for Penetration Testing, While 47 Percent Admit to Just Meeting Regulatory Compliance
IRVINE, Calif., Aug. 15, 2018 (GLOBE NEWSWIRE) -- SecureAuth + Core Security, the leader in identity security automation, today announced results of a nationwide survey that reveals the primary reason for penetration testing is to validate the effectiveness of security controls and identify weaknesses. Findings also showed that most organizations conduct penetration testing multiple times throughout the year – often just to meet regulatory compliance – yet struggle to hire well-qualified personnel to conduct them, hindering its effectiveness.
Penetration testing (pen testing) is a proactive strategy that simulates attacks to validate security controls and identify security weaknesses. Gartner estimates in the Forecast Analysis: Information Security, Worldwide report, CAGR of 14 percent in spending for security testing during 2017-2022*.
Although enterprises are taking more proactive defensive measures against the proliferation of breaches than ever before, the survey’s findings revealed that security professionals are concerned by a shortage of skilled personnel to handle the testing workload.
Tweet this: Survey reveals top reasons organizations conduct pen tests. Report finds orgs struggle with staffing & workload efficiency http://bit.ly/2vHqn4C via @SecureAuth
Security control is the top driver for pen testing The research, conducted by Decision Analyst and commissioned by SecureAuth + Core Security, found the primary reason organizations conduct pen testing is to validate their security controls are working effectively (70 percent), and more than half (60 percent) want to identify potential weaknesses that could be exploited by an attacker. However, 47 percent admitted they have penetration testing controls simply to meet regulatory compliance mandates. The need to meet regulatory compliance mandates may have increased as new regulatory directives, such as the General Data Protection Regulation (GDPR), have gone into effect. However, performing pen testing as a simple “checkbox” process rather than as a strategic defensive strategy may drastically hinder its effectiveness.
The widening skills gap Findings also reveal that when pen testing, most organizations (84 percent) use red team and blue team security testing, and nearly all respondents (95 percent) say they think this method is effective. The data indicates pen testing is more common among mid- and large-sized companies and shows that these organizations prioritize proactive security measures.
Still, only 43 percent say they think they are staffed to handle the workload, while 39percent – including some who feel they are handling the workload effectively – say they lack sufficient numbers of skilled professionals. Specifically:
21 percent lack the number of skilled personnel because they do not have the budget to hire additional people
18 percent lack the number of skilled personnel because they cannot find skilled people to hire
Skilled personnel and the right tools are critical Mature penetration testing proactively and reactively probes networks, Wi-Fi, mobile devices, people/clients and web applications for security weaknesses in each environment to determine levels of risk. Respondents agreed that they would save time and money by using both skilled professionals as well as specific tools to conduct pen testing.
40 percent say their organization would benefit from tools that significantly improve productivity
35 percent say their organization would benefit from tools that significantly improve the capabilities of new testers
Most enterprises conduct frequent tests The survey discovered that 75 percent of organizations perform pen testing several times every year, 6 percent test less than once a year and 16 percent either did not perform pen testing or were unaware if they did.
Quotes from Company and Customer “Enterprises are becoming increasingly aware of the critical importance of penetration testing,” said Keith Graham, CTO of SecureAuth + Core Security. “We have a duty to inform enterprises and business owners of the need and importance to make sure their security controls are effective and to demonstrate to them the areas where critical improvements need to be made. Moving from a ‘nice to have’ to a ‘must have’ strategy is critical to improving every organization’s security posture.”
“Companies in the aviation Industry are constantly targeted by malicious attackers yet the industry remains understaffed, lacking in experience, knowledge and without the best tools for a thorough vulnerability assessment and pen test,” said Bruce Jackson, Managing Director at Air Informatics LLC. Air Informatics provides airplane wireless connectivity, aviation informatics, analytics and cyber security. “We know what will result in the best security practices, risk validation, vulnerability assessments, and penetration testing to keep e-Enabled Aviation Safe and Secure. You need the best tools in the hands a knowledgeable team to make e-Enable Security policy, process and procedures work for you.”
Survey methodology SecureAuth + Core Security commissioned Decision Analyst to conduct an online survey among 202 IT decision-makers responsible for identity and access management (IAM) at companies in the U.S. with 500 employees or more. The survey took place between February 12 and February 19, 2018.
*Gartner, Forecast Analysis: Information Security, Worldwide, 1Q18 Update, 8 June 2018 (based on Constant Currency)
About SecureAuth + Core Security SecureAuth + Core Security brings together network, endpoint, vulnerability and identity security to prevent the misuse of credentials by delivering true Identity Security Automation. The company is a leader in vulnerability discovery, identity governance and threat management, and is a respected pioneer in adaptive authentication and single sign-on (SSO). Our mission is to accomplish what no other security technology vendor can claim: Secure the enterprise across all major threat vectors with an identity-based approach to the attack lifecycle. To learn more, visit www.secureauth.com or www.coresecurity.com, contact SecureAuth at [email protected], or follow us on Twitter (@SecureAuth), and LinkedIn.
SecureAuth and Core Security are registered trademarks in the United States and/or other countries.
