Penetration testing (PT) has benefitted organizations for years. The increase in supply and demand of this is driven by a number of factors, including the sophistication of cyberattacks, and the volume and complexity of data. It has also become a major requirement of many security standards such as SOC2, ISO 27001, GDPR and HIPAA. As CISOs, we agree that a PT is no longer optional. And with security vendors competing for our budgets, it is essential we understand how to get the best return on our PT investment, from both a financial and security point of view.
My name is Hadas-Charline and I am a CISO with 13 years’ experience. While there might be professionals out there with more years in the field than me, I aim to bring value based not only on tenure, but on my unique background. I served in the military for ten years working on a range of operational and classified projects of national security. When I left, I worked hard to adapt my skills to succeed in civilian life. I believe that the mix of an operational environment ruled by strategy and security vs professional environment driven by time and profits has helped me simplify processes. I see ‘issues/problems’ as nothing more than tasks in disguise.
Let’s return to penetration testing. Firstly, you should prioritize quality and experience. When it comes to conducting a PT, you need to consider it like any other business opportunity. You could decide on a cheap option. However, doing so reduces the likelihood of a worthwhile outcome, be it in the quality of the findings, your customer experience, or the experience of the research team and their ability to accomplish your goals. Instead, invest in building a relationship with the most skilled vendor you can find, and steer off the cheapest solutions. The difference will be evident in the final outcomes your organization will receive.
Secondly, you need to focus on the scope. It could be your assets, (applications, development environment, cloud infrastructure, and more) or someone else’s assets that you are accountable for. Defining your scope clearly will provide both you and your stakeholders with a reliable security stamp of approval and reduced risk. In the absence of a proper PT scope, you risk excluding essential elements, leaving crucial questions unanswered, and, worst of all, critical assets that could potentially be exposed without anyone’s knowledge.
Having found a vendor that meets your expectations and after scoping the project, the next step is a ‘run through’. This process should take place a few days before the research is set to begin. Its purpose is to ensure that the research team is aligned with your vision and has everything they need (IT setup, user credentials, an understanding of the scope and its correct function etc) to test the assets in scope, thus maximizing the team’s efficiency and return on investment. I’d even go so far as suggesting that you delay launching the PT until an effective run-through has been conducted and you are satisfied that the pen test teams are ready.
Once the PT is completed, the next step is a summary meeting with the key personnel from your organization (head of R&D, IT, management etc…) and the PT researchers. Remember, you, as a CISO, will probably not be the “hands-on” person to resolve the PT issues and other key personnel have their own priorities. If you communicate this priority to everyone, most of the work will flow of its own accord because everyone understands that having open vulnerabilities is ‘not great’. The summary meeting can promote understanding and engagement as well as the actions required to fix them.This approach can also reduce stress created by your CISO responsibilities – rather than pointing fingers, this is an opportunity for experts with common interests to talk about their common goals.
Finally, fixing the vulnerabilities. As a general rule, think twice as to whether you want to conduct a PT if you lack the capability to fix the identified issues. It’s like investing in a top of the line Harley Davidson only for your cat to nap on it. It’s not the best investment.
A penetration test is a work program that outlines how you can prevent the next cyber security incident, and identifies the weak points within your organization’s assets. Now you’ve consulted with all the expert teams both from the PT team and your own organization, you can ensure they provide recommendations within the required time needed to fix vulnerabilities. You can use ‘best practice’ SLA if you are uncertain, but don’t leave it to chance – manage the vulnerabilities and fix the issues. Experiencing a cybersecurity incident is unfortunate, but being hit by an incident you knew you could have avoided – well that’s inexcusable.
And a little note from my own CISO experience – when you approach this matter seriously and rally everyone to recognize its critical nature, the message resonates, and awareness grows on its own without you even realizing it.
About OP and the writer:
OP Innovate was established in 2014 to defend global enterprises from the increasing challenges of organizational cybersecurity. Our experience in the field is extensive with unmatched expertise in cyber research, penetration testing, incident response, training and forensics. With headquarters in Israel, we rub shoulders with the best-of-breed in the field of cybersecurity, exposed to cutting-edge responses to today’s most critical cybersecurity concerns. This knowledge allows us and our customers to remain ahead of the curve.
The OP Innovate team is composed of cybersecurity thought leaders, skilled white hat hackers and analysts with decades of cumulative field experience with government and private sector organisations alike. We provide our customers with solutions based on the external and internal threat landscape, leveraging the most relevant and effective cybersecurity tools for the mission.
Our highly-qualified personnel diverse backgrounds coalesce into our formidable offensive and defensive capabilities for a business-first approach. Each team member understands how to conduct technically challenging testing and analysis activities while ensuring that no damage befalls mission-critical systems.
Hadas-Charline Eshkar (Major res.) is a CISO-as-a-service at OP Innovate since May 2022 where she is responsible for overseeing the security of multiple organizations and leading PT projects and incident response teams. Before joining OP Innovate, she served as a cyber security and continuity officer in the Israeli Air Force for over ten years, where she specialized in defensive techniques, training, real time continuity, and disaster recovery. She is currently pursuing an MBA degree at Northwestern, Kellogg school of management where she is writing a thesis entitled “The connection between financial investments, cyber security and profits”, Hadas-Charline made Aliya to Israel from France in 2010 and speaks five languages.