Changing approaches to penetration testing

As a security consultancy, Cyberis undertakes penetration testing for organisations of all sizes, and in many verticals. This testing is often a function of regulatory or compliance requirements, and for some customers' operational teams is viewed as a necessary evil. Given time and resource pressures, and the prioritisation of business functions for internal ops teams, devops teams and other support staff, it can prove difficult for security teams to encourage engagement, and traction, for fixing identified vulnerabilities in existing systems and drive progress in internal security programs. This leads inevitably to stagnation and increased risk over time due to system obsolescence and poor standards.

With one of our larger government department customers, Cyberis has taken a different approach.

Working closely with the organisation’s' security team we devised an approach to penetration testing that challenges the operational teams to remediate the serious vulnerabilities in their system whilst maintaining regulatory penetration testing requirements.  By logically splitting the testing requirements into smaller units, and testing / retesting in 6 monthly cycles the operational teams are 'on the clock' to remediate issues in time for the retest of their specific system. Cyberis now engages in a challenge / response approach to the testing; we challenge the operational teams to fix the systems, and they respond to our challenge within the 6 monthly timeframe by fixing the most significant concerns. Of course, we support the teams over the 6 month interim period with any information they require.

Rather than viewing penetration testing as an annual audit, to be feared or hostile to, the customer ops teams now engages positively with the security challenges posed, and with our penetration testing team. This has driven a significant improvement in the security posture of the organisation and an overall lowering of their technical risk profile that had previously seen little progress in the previous 3 years. Additionally this has led to a technology refresh driven by the business and ops teams, finally driving dated technology from the environment, the adoption of new virtualisation technologies to streamline and enhance business processes and drive cost savings and efficiencies in systems build and deployment, and standards, policies, and processes designed by the operation teams and business units to consider security requirements at the system design stages.

By taking this approach, we have achieved a significant culture change in the organisation, giving ownership of security risks to operational teams and business units who now view the application of security controls to their systems as a source of pride, and who look forward to the next challenge posed by our team.

Tags