The Path to Cybersecurity Confidence Starts With Penetration Testing

Every day there seems to be a new vulnerability or large-scale information security breach to read about. These constant reminders of cybersecurity’s importance are highly justified. But for large enterprises, which are offered multiple products and solutions to protect their systems from a growing variety of threats, it’s often difficult to determine where to start when it comes to boosting their cybersecurity confidence.

The Value of Penetration Testing

Surely a large enterprise needs to assess its weak spots and gaps before purchasing specific security products. Technically assessing systems and networks gives insight into what businesses actually need to best protect themselves. It also puts a stop to the bolting-on of the latest security product regardless of whether it is best for their systems. This need for technical assessment points to penetration testing.

Having penetration testers assess your systems can provide a comprehensive and prioritized view of what should be done to best protect them from the growing number of cyberthreats. Once penetration testing has exposed the gaps in security, the testers can make recommendations on how to close them.

In “Application Security Testing on Cloud and the Future of Penetration Testing,” Eitan Worcel articulated the value and skills of a pen tester: “Great pen testers have deep knowledge of operating systems, networking, scripting languages and more. They are also eager to learn new approaches and employ the new content that they learn in practice. They combine manual work with automated tools and conduct their testing in iterations, reviewing interim test results to build complicated attacks just like a cybercriminal would.”

How to Select the Right Pen Testing Provider

Having the required skills in house to carry out an effective penetration testing strategy would be a luxury for any enterprise. As a result, many turn to third-party providers. Knowing who to choose to carry out penetration testing can be tricky, however. Fortunately, industry standards may be beneficial because they act as a seal of quality and compliance; they can help you select the right penetration testing company for your needs.

In the U.K., for example, the CREST certifications “provide organizations wishing to buy penetration testing services with confidence that the work will be carried out by qualified individuals with up-to-date knowledge, skill and competence of the latest vulnerabilities and techniques used by real attackers.” Choosing a CREST-accredited penetration testing company would ensure a quality service.

The second step in selecting a penetration testing service provider would be to look at the bigger picture. Which of those accredited companies have the breadth of knowledge and services to help you fix the issues uncovered in the penetration testing phase?

A company equipped to provide the end-to-end security service — starting with penetration testing and identifying gaps — can advise and implement the correct solutions. Not only does this close those gaps, but it proactively ensures the company is prepared to fend off future attacks and threats.

This process should be cyclical. Regular penetration testing should be carried out periodically, but especially when new partners, technologies or tools are added to the mix. This way, pen testing can be an important and regular part of an organization’s information security risk management process.

Learn more about X-Force Red and IBM’s specialized pen testing services

Share this Article:
Daniel Carnelley

Security Consultant, IBM

Daniel works for IBM in the Security Business Unit. Since joining IBM as a graduate in 2011, Daniel has taken on a number of roles in the security unit, including analyst, consultant, offerings manager, executive assistant to the director and marketing.