Penetration testing helps organizations ensure IT systems are secure, but it should never be treated in a one-size-fits-all approach. Traditional approaches can be rigid and cost your organization time and money – while producing inferior results.
The benefits of pen testing are clear. By empowering “white hat” hackers to attempt to breach your system using similar tools and techniques to an adversary, pen testing can provide reassurance that your IT set-up is secure. Perhaps more importantly, it can also flag areas for improvement.
As the UK’s National Cyber Security Centre (NCSC) notes, it’s comparable to a financial audit.
“Your finance team tracks expenditure and income day to day. An audit by an external group ensures that your internal team’s processes are sufficient.”
While the advantages are obvious, it’s vital to understand the true cost of the process: indeed, the classic approach can often demand significant time and effort from your team. You need to get your money’s worth.
Pen testing hidden costs
There’s no one set form of pen test: it depends on what exactly is being tested, how often the pen test occurs, and how it takes place. Nevertheless, there are some common elements of the classic approach that could generate significant costs, both financially and in terms of your employees’ time.
Let’s take a look at some of the costs that might not be immediately obvious.
Administrative overheads
There can be significant admin involved in arranging a “traditional” pen test. First, you need to coordinate schedules between your own organization and the testers you’ve hired to conduct the test on your behalf. This can cause significant disruption to your employees, distracting them from their day-to-day tasks.
What’s more, you’ll need to develop a clear overview of the resources and assets at your disposal before the test can occur, by gathering system inventories, for instance. You’ll also need to prepare access credentials for the hackers, depending on the type of pen testing approach you intend to take: for example, the testers may need these credentials to develop a scenario based on the risk of a disgruntled employee targeting your systems, for instance.
Scoping complexity
Again, determining the precise scope of the test is important – what is “in-scope” for the hackers, and what should remain out of scope?
This will be determined in-house, and will be built on several factors, depending on the precise needs of the organization; there may be certain applications, for instance, that cannot be included in the test. No matter the reasons, determining the overall scope of the testing will take time.
Of course, this isn’t set in stone: some organizations might deal with highly sophisticated environments, which change over time. You will need to devote resources to assessing the potential impact of these changes – as your environment changes, should you include new elements for the testers to target?
All of this raises…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
