Given the importance of information security testing — including vulnerability scanning, vulnerability assessments and penetration testing — I find it interesting how little thought goes into the actual scoping of such work. Quite often, the scope of security testing has too many constraints.

Struggling With Scope

In large enterprises, for example, there’s often interest in conducting an external penetration test or perhaps focusing specifically on one or two core Web applications. That’s all fine and good. However, the problem is that the entire environment is not being fully assessed. In fact, I have worked in many large enterprise environments where a comprehensive security assessment has never been performed.

It’s often a similar situation in midmarket enterprises: They will want to do external security testing but perhaps not look at the internal environment. This goes for on-premises LAN/WAN systems as well as systems in the cloud.

If there’s any group of businesses that seems to do things well, it’s small businesses such as cloud service startups, health care providers and nonprofit organizations. Perhaps the tighter scope and smaller budget allow these organizations to look more closely at everything across the board.

At the end of the day, regardless of the organization’s size, that’s exactly what needs to be assessed: everything.

What Goes Into Security Testing?

There is no right or wrong answer to the question of how to perform ongoing security testing in your organization — unless critical systems and related business requirements are being overlooked. Unfortunately, I’m convinced that’s often the case.

Don’t get me wrong; I’m not naïve enough to think organizations have an unlimited budget to do the most thorough and comprehensive security testing. The economics of security don’t work that way. The problem that I’m seeing is that these organizations are claiming to be secure and signing contracts stating that they’re testing their environments. Yet what they are claiming hasn’t been done.

If you’re in charge of information security in your organization, you have to be careful about how you approach this. You don’t want to skim the surface of your environment, and you certainly don’t want to over-commit to doing everything if you’re not equipped for it. Know what you’re signing up for, what your committing to and for what you’re being held accountable.

Recommendations for Professionals

Make sure that there are checks and balances in place between those writing the requirements and running the project as well as others who are requesting that the work be done, such as auditors and management. If an outsider such as a consultant or security firm recommends that you do things a bit differently — perhaps adding in more systems to test or testing things in different ways to ensure that you get the best results — heed that advice. It could be that one nugget that ultimately prevents a breach down the road.

You have to ask yourself: What is my goal? Perhaps the goal is to determine whether specific systems or applications are secure. Maybe the goal is to ensure that all external-facing systems are in check. Or it could be to ensure that all systems are being tested so you can get a true measurement of your information risk. In all but the oddest of cases, it should eventually be the latter.

Read the interactive white paper: Preempt attacks with programmatic and active testing

More from Risk Management

The Growing Risks of Shadow IT and SaaS Sprawl

4 min read - In today's fast-paced digital landscape, there is no shortage of apps and Software-as-a-Service (SaaS) solutions tailored to meet the diverse needs of businesses across different industries. This incredible array of options has revolutionized how we work, providing cost-effective and user-friendly tools that streamline tasks and boost productivity. However, this ever-expanding application ecosystem comes with its challenges: namely, shadow IT and SaaS sprawl. According to a recent study by Entrust, 77% of IT professionals are concerned about shadow IT becoming a…

Are you ready to build your organization’s digital trust?

4 min read - As organizations continue their digital transformation journey, they need to be able to trust that their digital assets are secure. That’s not easy in today’s environment, as the numbers and sophistication of cyberattacks increase and organizations face challenges from remote work and insider behavior. Digital trust can make your organization’s digital transformation stronger. A lack of digital trust can do irreparable harm. However, according to ISACA’s State of Digital Trust 2023 report, too many organizations struggle to define and implement…

Most organizations want security vendor consolidation

4 min read - Cybersecurity is complicated, to say the least. Maintaining a strong security posture goes far beyond knowing about attack groups and their devious TTPs. Merely understanding, coordinating and unifying security tools can be challenging. We quickly passed through the “not if, but when” stage of cyberattacks. Now, it’s commonplace for companies to have experienced multiple breaches. Today, cybersecurity has taken a seat in core business strategy discussions as the risks and costs have risen dramatically. For this reason, 75% of organizations…

How IBM secures the U.S. Open

2 min read - More than 15 million tennis fans around the world visited the US Open app and website this year, checking scores, poring over statistics and watching highlights from hundreds of matches over the two weeks of the tournament. To help develop this world-class digital experience, IBM Consulting worked closely with the USTA, developing powerful generative AI models that transform tennis data into insights and original content. Using IBM watsonx, a next-generation AI and data platform, the team built and managed the entire…