In theory at least, as cybersecurity concerns rise there should be a corresponding increase in the amount of testing being done to make sure IT environments are resilient. A survey of 300 IT leaders conducted by Synack, a provider of a platform through which penetration testing is outsourced, finds 44% of respondents report they are running cybersecurity tests at least on a monthly basis or better.
However, the typical security test usually takes on average between one or two weeks to complete. Synack claims the average crowdsourced security testing engagement lasts more than 300 hours. And yet, the survey finds 40% of organizations are spending eight hours or less per test, while 30% are spending between nine to 20 hours per test. Now it is possible that organizations may be getting more efficient at cybersecurity testing, but it’s far more likely the number of things that need to be tested has increased sharply. As a result, more tests are being run for shorter durations of time.
A total of 62% of organizations rely on an internal security team to run those tests, followed by internal auditors (29%), external auditors (22%), security vendors (22%) and development teams (18%). In addition, the survey finds 43% of respondents have relied on third-party vendors to conduct tests in the last two years. A full 63% said the most common use case for external vendors is to identify and reduce vulnerabilities, followed by meeting compliance mandates (47%). Over half the respondents (55%) are required to include software and applications within the scope of those tests.
The biggest frustration with testing cited by survey respondents was expense (32%), followed by time to schedule (17%). Over half (52%) of respondents said they experience unwanted cost and complexity due to overlap in functionality from using multiple security vendors.
Perhaps more troubling, only 61% of respondents said they felt their security posture had improved as a result of testing. The report also notes 27% of organizations are dissatisfied with the time and effort required to manage testers and scheduling.
Put it all together and its clear testing continues to get the short shrift. The cost of testing coupled with a chronic shortage of cybersecurity professionals and an ever-increasing attack surface that needs to be defended creates an untenable situation. No one is limiting the amount of testing being done simply because cybersecurity teams would rather be doing something else. Rather, the issue is there simply isn’t enough time in the day to sufficiently accomplish the task.
Cybercriminals, meanwhile, are only too happy to scan for vulnerabilities they know are going to exist simply because no one had the time to discover and remediate them. Even when cybersecurity teams know a vulnerability exists, many of them are not addressed simply because they didn’t make it high enough on the remediation priority list.
Obviously, there’s a lot of opportunity for improvement when it comes to cybersecurity testing. Advances in automation and artificial intelligence (AI) should substantially improve testing in the months ahead. In the meantime, cybersecurity teams should remind business leaders it’s not a question of if there will be a breach. Rather, it’s more of a question of what degree of harm should be anticipated based on how much testing isn’t being done.
Mike Vizard has covered IT for more than 25 years, and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.