Research[pdf] by Cybersecurity Ventures projects a doubling of the global cost of cybercrime in the 2015-2021 period from $3 trillion to $6 trillion. The escalation of cybercrime is closely related to the rapid expansion of the cyber attack surface. For instance, the total number of Internet users doubled between 2015 and 2018 from 2 billion to 4 billion, and is expected to hit 6 billion by 2022. In addition, the number of connected devices, especially Internet-of-things (IoT) devices, seems bound to skyrocket in the coming years, which also holds true for data volumes. For chief information security officers (CISOs), these trends mean that their job is becoming:
- Increasingly common, with more companies creating a CISO role (finally)
- More important, with CISOs increasingly reporting to the CEO directly (again, finally)
- Far, far harder, since CISOs have to protect their company against the growing risk of cyberattacks.
However, the future of cybersecurity is also being shaped by various positive developments that CISOs can and should take advantage of, such as growing security awareness, and advances in cybersecurity automation. While industry research[pdf] shows that most CISOs already rely on at least some level of automation to boost their organization’s defensive efforts, automation holds great promise for offensive security as well. In fact, CISOs can immensely benefit from adopting solutions such as our very own vPenTest automated penetration testing platform. Let’s explore some of those benefits.
1. Overcoming the skills gap
As we mentioned in a previous post, automation is a potential game-changer for offensive security in 2020, in part because it can help organizations overcome the global shortage of cybersecurity professionals, which currently exceeds 4 million according to a recent (ISC)² report. In the US, the cybersecurity workforce would need to increase by a staggering 62% in order to meet current demands, and penetration testing is among the roles that have become especially understaffed in recent years. By making it possible to carry out a full penetration test with the click of a button, automated solutions like vPenTest provide you with the ability to take advantage of the knowledge and skills of seasoned penetration testers without having to recruit anyone in this role.
2. Saving money
In a recent study by Forbes and Fortinet, budget limitations were the most cited obstacle preventing CISOs from improving and expanding their cybersecurity program, and more than half (52%) of infosec executives acknowledged that budget restrictions had a big impact on cybersecurity in their firm. Because automated penetration tests are significantly cheaper than traditional assessments, they make it easier for CISOs with limited budgets to add an offensive dimension to their cybersecurity efforts. Moreover, for companies that currently rely on manual assessments, automated pentesting is a way to save money on this aspect of their security strategy and invest it elsewhere. For instance, instead of paying an external professional to travel to your headquarters in order to conduct an internal penetration test, you could launch the assessment yourself with the click of a button, and spend the money you saved on mitigating the issues uncovered during the assessment.
3. Saving time
One major source of frustration for companies relying on traditional penetration testing is the time it takes to get from the decision to perform a penetration test, to receiving the final report. In the first stage of this process, the firm needs to contact a security consultant to schedule an assessment. Organizations working with external penetration testers are dependent on the latter’s availability, and may therefore struggle to have an assessment conducted on short notice. Instead, they usually need to plan penetration tests weeks or even months in advance, especially because it could take several weeks just to receive the report of an assessment once it has been conducted. While companies with one or more penetration testers on the payroll may be able to schedule assessments without much delay, they will generally still need to wait at least several days to receive the full report of a penetration test. By contrast, with automated penetration testing the report is generated during the assessment, meaning that there is no waiting involved afterward. Once the penetration test has been completed, the report is ready for you. And since you don't need to coordinate with human testers, you control when assessments are launched, and how frequently this happens.
4. Introducing continuous penetration testing
Since traditional penetration testing requires significant resources, mostly in terms of time and money, organizations usually conduct only one or a few assessments per year. In fact, a recent Synack report found that of the companies that perform security testing, about half (49%) carry out up to 4 tests per year, while 44% conduct assessments on a monthly basis. Moreover, companies allocate just 21 human testing hours per penetration test on average. For small to mid-sized businesses (SMBs) the average is far lower still, with almost two in three SMBs allocating under 8 hours per assessment. Similarly, a 2019 ESG survey found that three out of four organizations (75%) conduct penetration testing or red teaming as finite projects with a duration of 2 weeks or less. As a result, serious gaps in security such as misconfigurations and unpatched vulnerabilities may remain in a company's environment for weeks or even months before being noticed and addressed. In this sense too, the transition from traditional to automated penetration testing can represent a turning point for the security of your organization, because it will enable you to start performing penetration tests on an ongoing basis. With your environment being continuously scanned and probed, you will be able to keep track of your organization’s risk profile in near real-time, allowing you to promptly address issues, and to share this valuable information with the C-Suite and the board.
5. Maintaining compliance with ease
The many advantages of automated penetration testing platforms like vPenTest over traditional assessments not only allow CISOs to improve their security program, but also help them streamline compliance efforts. According to the Synack report cited above, companies consider the most frustrating aspects of compliance testing to be:
- The high costs involved
- The time it takes to schedule assessments
- Managing testers
- The low amount of testing
As we have outlined in this article, you can eliminate all of these hurdles by switching over to automated penetration testing for compliance purposes because in comparison with traditional testing:
- Automated penetration testing is far cheaper.
- Automated penetration testing takes way less time.
- Automated penetration testing does not require you to manage testers, as the assessments can be carried out by anyone in your organization with the click of a button.
- Automated penetration testing can be implemented on an ongoing basis.
In other words: automated penetration testing puts you fully in control of the testing process, since assessments can be customized to your needs and performed whenever you want, however often you want.
About Vonahi Security
Vonahi Security is building the future of offensive cybersecurity consulting services through automation. We provide the world's first and only automated network penetration test platform that replicates full attack simulations with zero configuration. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Penetration Testing and Adversary Simulations. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io