[EDITORS NOTE]: This article originally appeared on Mike Hamilton’s monthly blog on CSO Online.
I’m often skeptical of survey results, but a recent survey from the 2017 HIMSS (health sector) conference, which suggests that penetration testing is a top priority, caught my eye. Add to this Gartner’s global cybersecurity group estimate of a 14 percent uptick in “security testing,” as well as an 8.5 percent increase in “consulting.”
Combined, these projections imply that many organizations may be readier to prioritize budget towards penetrating testing. That’s great, if we understand the limits and the proper role of pen testing in an overarching security strategy.
At a conceptual level, pen testing is a great way to help manage security in an organization. It’s great at evaluating the efficacy of your security system’s detection and response mechanisms, and it’s a fantastic tool when you want to build a case to affect meaningful internal change and/or ask for a larger security budget.
But a penetration test that ends up showing that your defenses are impenetrable is likely fatally flawed.
I was a penetration tester back in the day (when it was much easier), and having worked with scary-good penetration testers here at Critical Informatics, I can tell you they never lose. They always get in.
So, what should we take away from this reality?
So yes—you’re secure until the moment you hit the radar of someone who has, or who can acquire, what are becoming commoditized skills.
If penetration testing and other evaluation of your defenses is something you’re prioritizing this year, be aware: the information you will obtain is not revelatory, and simply addressing the specifics of whatever vulnerability was exploited will not appreciably change the outcome for the next penetration test (which may not be a test).
A penetration test can help drive internal messaging, especially around the need for resources to address the ease with which the information technology can be compromised. It can help to prioritize on actualized business risk rather than fear, uncertainty, and doubt. In other words, the vulnerabilities identified are not as important as the management outcome.
However, there are two areas of focus that should be evaluated against the results of a penetration test:
Remember—penetration tests are valuable as a reference point, but only if the results are properly translated into an effective overall security strategy. That way, when your ticket is punched, you’ll be ready.