Threat actors are continuing to successfully breach across the entire attack surface and the stakes are only getting higher: 93% of enterprises who admitted a breach reported unplanned downtime, data exposure, or financial loss as a result, according to Pentera.
Pentera surveyed 450 CISOs, CIOs, and IT security leaders at enterprise companies with more than 1,000 employees across the Americas, EMEA, and APAC.
IT environment changes outstrip pentesting frequency
Enterprises are continuing to prioritize pentesting as part of their security tool kit, accounting for an average of $164,400, nearly 13% of their total IT security budgets. The main drivers and uses for pentesting programs continue to be validating security controls’ efficacy, understanding potential attack impact and prioritizing security investments.
50% of CISOs report that they share the results of pentest assessments with their leadership teams as well as their Boards of Directors, using these reports as a tool to communicate cybersecurity risk both within and outside their organizations.
73% of enterprises report changes to their IT environments at least quarterly, however only 40% report pentesting at the same frequency. This underscores a serious frequency gap between the rate at which changes occur within the IT infrastructure and the rate of security validation testing, leaving organizations open to risk for extended periods of time.
Organizations embrace more cybersecurity tools
60% of enterprises report a weekly minimum of 500 security events that require remediation. Becoming “patch perfect” is an unfeasible, if not impossible, target for organizations. What’s more, organizations are even more resource constrained than before. In 2023, only 21% of respondents reported a lack of internal resources for remediation as a barrier to pentesting, while this year the number has leaped to 36%.
Organizations are adopting a greater number of cybersecurity solutions to manage their risk. On average, enterprises already have 53 security solutions in use across their organization, however, despite large security stacks, 51% of enterprises reported a breach over the past 24 months.
Security leaders are cautious around pentesting as many have experienced network downtime due to pentesting in the past. CISOs want to work with the most experienced pentesters who provide the highest level of validation to their security, while also posing the least risk to operations.
“The results of our latest report are indicative of the increasing infrastructure complexity of organizations today and the rising challenges that security teams face along with it. Close to a third of CISOs who cited a breach reported financial loss and data exposure, while 43% reported unplanned downtime as a result of the breach,” said Jason Mar-Tang, Field CISO at Pentera.
“Attack surfaces are more dynamic than ever and resources are limited, making it even more critical for organizations to proactively validate their risk exposure with accuracy and pinpoint exploitable gaps across the complete attack surface.”