Pentesting No Longer Driven by Regulatory Compliance, New Study Finds

Old Ladder leading to the light. 3d Render. Freedom concept.

While the initial need for penetration testing (pentest) arose from regulatory compliance, it is no longer the prime mover, said Pentera, an automated security validation specialist in a new report.

The Boston, Massachusetts and Tel Aviv-based company’s annual State of Pentesting 2023, in which it surveyed 300 chief information officers (CIO) and chief information security officers (CISOs) across Europe and the U.S., found that the primary motivations for pentesting are security validation, assessing potential impact and cyber insurance.

Why Organizations Pentest

Only 22% of the study’s participants pointed to compliance as the main reason to pentest. Regulatory or executive mandates are still impactful but not the primary rationale driving pentesting, Pentera said.  Despite deploying multiple security solutions, nearly nine in 10 organizations (85%) in the last two years bumped up their pentesting security budgets following a breach incident, said Pentera. But it’s not just additional budget that should be driving more pentesting, the company said, but rather a strategy and vehicle for continuous validation.

“We’re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,” said Aviv Cohen, Pentera’s chief marketing officer. “Annual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.”

How Organizations are Doing Cybersecurity

Here are some additional findings from the study:

  • On average, companies have almost 44 security solutions in place, indicating a defense-in-depth strategy, where multiple security solutions are layered to best protect critical assets.
  • Despite the large number of security solutions implemented, 88% of organizations admit to being compromised by a cyber incident over the past two years.
  • Cybersecurity budgets are not expected to be impacted by an expected economic slowdown in 2023. 92% of organizations report a raise in their IT security budgets, and 85% report a raise in their pentesting budget specifically.
D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.