SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
How IT leaders can prepare organisations for penetration testing
Tue, 4th Apr 2023
FYI, this story is more than a year old

Australian boards are becoming increasingly aware of the likelihood that their organisations are under-prepared for the level of exposure to the complex cyber risks they face; however, many are still not proactive when it comes to cyber resilience.

The constantly evolving IT environment presents a persistent challenge for IT departments. With new versions of applications, websites, business systems, and network updates continuously being deployed, vulnerabilities are emerging as malicious actors develop and deploy new attack methods. As a result, staying ahead of these threats has become a constant need.

Evolving threats present significant challenges for IT professionals, who are often given the same advice: ask the right questions, review the right metrics, and determine and close all vulnerabilities. The problem is that they are seldom told which questions to ask, what metrics are useful, or, more importantly, how to interpret the results.

To prevent cyber security breaches, leadership teams need to focus on how their organisations detect, manage, and recover from cyber attacks. The first and most crucial step is understanding where the organisation is vulnerable. A penetration test, or ‘pentest,’ is a simulated cyber attack that uncovers exploitable vulnerabilities.

Pentesting is at the heart of a business’s ability to understand its cyber risk profile, which is the precursor to being able to detect, manage, and recover from cyber attacks. The reality is that cyber attacks can no longer be avoided; however, they can be mitigated. However, not all penetration tests are the same, and, based on organisational maturity and the desired outcomes, it may also be worth considering red teams, purple teams, or even an active threat hunt.

It is important for businesses to work with a partner that can advise on what to test in context with the business’s needs. IT professionals do not always know what to ask or which metrics to review because they deal with large data sets and highly complex systems with thousands of configurations.

Organisations looking to improve their security postures should consider a provider that:

  • Values their pentesting team and freely communicates their approach to pentesting
  • Has a team of experts that are up to date on the latest attack methods and vectors
  • Aims to enhance the client’s security risk profile as the primary objective
  • Has staff that can efficiently and effectively communicate which risks have been revealed through the pentest
  • Can help the business quickly remediate vulnerabilities identified within the IT environment, with the biggest impact on security posture yet the lowest impact on budget.

The final pentesting report should not only outline the identified vulnerabilities, but also provide a clear and detailed explanation of the potential exploitations. By including either a proof of concept (PoC) or step-by-step instructions to recreate the issues, IT teams can gain a deeper understanding of the problems and effectively plan for remediation. Additionally, every report should help the IT team prioritise their remediation activities, addressing the issues with the greatest impact and likelihood first to ensure a robust security posture for their organisation.