Penetration Testing, MSSP, MSP

Pentesting Infrequency Leaves Security Gaps

Credit: Adobe Stock Images

Security testing is struggling to keep pace with organizational IT change rates. That's according to a new survey, State of Pentesting 2024 report, from Pentera, a specialist in automated security validation.

This and other results from the survey point to market opportunities for MSSPs and MSPs that provide penetration testing services.

MSSP Alert's own research shows that 63% of MSSPs already recognize the importance of this service to end-user organizations and provide their own pen testing-as-a-service already. But how frequently are end-user organizations availing themselves to this service?

Pentera's third annual industry survey shows that 73% of organizations report changes to their IT environments at least quarterly. However, only 40% report pentesting at the same frequency.

The findings underscore a serious frequency gap between the rate at which changes occur within the IT infrastructure and the rate of security validation testing, leaving organizations open to risk for extended periods. Commenting on this disparity, Pentera’s Jason Mar-Tang, Field Chief Information Security Officer (CISO), believes that findings are indicative of the increasing infrastructure complexity of organizations today and the rising challenges that security teams face along with it.

“Close to a third of CISOs who cited a breach reported financial loss and data exposure, while 43% reported unplanned downtime as a result of the breach,” Mar-Tang said. “Attack surfaces are more dynamic than ever and resources are limited, making it even more critical for organizations to proactively validate their risk exposure with accuracy and pinpoint exploitable gaps across the complete attack surface.”

500-Plus Security Events a Week

A key takeaway from the report shows that organizations are spending an average of $164,400 — nearly 13% of their total IT security budget — on manual pentesting assessments. Today, 60% of organizations pentest twice a year at most, which is a large investment and a sizable portion of the budget for a security activity, Pentera reports.

Pentera also found that more than 60% of enterprises report a weekly minimum of 500 security events that require remediation. As such, becoming “patch perfect” is an unfeasible, if not impossible, target for organizations. 

Organizations are now adopting a greater number of cybersecurity solutions to manage their risk. On average, enterprises already have 53 security solutions in use across their organization, according to Pentera’s research. However, despite large security stacks, 51% of enterprises reported a breach over the past 24 months.

Pentera asserts that threat actors are continuing to successfully breach across the entire attack surface and the stakes are only getting higher. Of the 93% of enterprises who admitted a breach, they reported unplanned downtime, data exposure or financial loss as a result.

The main drivers and uses for pentesting programs continue to be validating security controls’ efficacy, understanding potential attack impact and prioritizing security investments, Pentera reports.

Decreasing Security Budgets Compound Risk

The research indicates that 50% of CISOs share the results of pentest assessments with their leadership teams as well as their boards of directors. Accordingly, IT leaders use the reports as a tool to communicate cybersecurity risk both within and outside their organizations. 

CISOs are being challenged to do more with less 53% of enterprises report decreasing or stagnating  IT security budgets for 2024, Pentera found.

“This is a major departure from the 2023 outlook where 92% of enterprises projected a rise to their IT security budgets,” the Pentera report said. “When organizations cannot count on new resources, operational efficiency and getting more out of their existing security suite becomes paramount.”

To compile the report, Pentera surveyed 450 CISOs, CIOs and IT security leaders at companies with more than 1,000 employees across the Americas, EMEA and APAC. Pentera will conduct a webinar on April 30 featuring Jay Mar-Tang and Matt Bromiley, SANS Institute Instructor.

Jim Masters

Jim Masters is Managing Editor of MSSP Alert, and holds a B.A. degree in Journalism from Northern Illinois University. His career has spanned governmental and investigative reporting for daily newspapers in the Northwest Indiana Region and 16 years in a global internal communications role for a Fortune 500 professional services company. Additionally, he is co-owner of the Lake County Corn Dogs minor league baseball franchise, located in Crown Point, Indiana. In his spare time, he enjoys writing and recording his own music, oil painting, biking, volleyball, golf and cheering on the Corn Dogs.