A lot of companies are asked to do a pen test by their clients, because they think a pen test will let them know if their business partner’s technology is “secure” against cyber threats.
The scan happens. The areas that need to be fixed are fixed. And the client feels warm and fuzzy inside. However, this feeling is misleading as the company isn't necessarily more secure— all it says is that you found some technical vulnerabilities and that you are going to fix them (or have fixed them). But it does nothing for the future. It says nothing about the continued maturity of the security program.
More than Having Technology
A Security Posture Assessment (SPA) identifies gaps not just in technological controls, but in policies and procedures as well. The idea of throwing hundreds of thousands of dollars at technology to try to solve every security issue is quite well-trenched. Not only is that not practical, going down that path provides a false sense of security. Unless you are fully staffed with people managing the technology with defined policies and processes, that expensive endeavor is like drafting a Heisman Trophy winner without having a team or playbook to support his success.
Have the Winning Game Plan
To continue with the sports analogy and comparing IT security to football, a SPA would be like having a full and complete game plan. On the other hand, a pen test only checks how your offensive line holds up against a pass rush. It doesn’t bring to attention the fact that your defensive backs are slow, your quarterback is injured, or you’re down to your third-string kicker.
Football teams do not just throw people on the field and expect victories. No team focusing all of their attention on one side of the ball expects to be successful. How many teams test their offensive line by practicing only one kind of blitz and then envision their quarterback being safe throughout the game or season? That narrow-minded approach is what causes IT security issues in companies.
Football teams have to account for offense, defense, special teams, the coaching, location of the game, the weather, the referees, the stakes of the game and more. Focusing in on too few of those areas and not considering how they all work together results in losses. Just like in football, companies need to cover all the angles to be prepared. Companies have to consider the many different layers of IT and IT Security: processes, staffing, training, regulations, physical and environmental factors, not just the technology.
Spend Now, Save Later
Most companies only request a pen test because they want to do the minimum, get it off their plate and save a few bucks in the process. But, the truth is that most major data breaches, like AT&T and Target for example, have occurred because of internal mistakes that could have been prevented with the correct people and processes a SPA identifies and puts in place. That initial savings of a pen test over a SPA results in costing the company millions of dollars depending on the scale of the company and aftermath of the breach. So next time you need to do a pen test, dip your toe in the water and try a SPA instead.
Luke Klink is Advisory Services Lead, Rook Security, a global IT security solutions provider.