In the past 24 months, more than 88% of organizations have been breached

That’s right: almost nine out of ten companies were hacked. Considering that organizations utilize an average of 44 security solutions to protect their IT environments this number is alarming. 

The way enterprises handle such security threats is impacted by global trends, from the economic slowdown to the growing awareness of cyber risks and threats. Additional trends, like the emergence of satellite security practices such as cyber insurance, are also influencing security strategies. 

So how are these global changes affecting security validation and pentesting practices?

We attempt to answer this question in our new report (conducted by Global Surveyz Research). Based on a comprehensive survey of 300 security executives from the US, UK and West Europe, at VP or C-level positions, who work at companies with more than 1,000 employees, the report paints an overarching picture of the state of pentesting.

Our key findings include:

  • Organizations are still experiencing high rates of breaches
  • Pentesting is no longer just about regulatory compliance
  • The percentage of companies with In-house Red-Teams is on the rise

To read the complete report with all the details, click here.

Let’s take a closer look at these findings.

Rising IT Security Budgets Despite Economic Slowdown

Despite the economic slowdown, caused by global supply chain shortages following the pandemic and the ongoing conflict in Ukraine, companies can’t be complacent about their cybersecurity. A recent report by Check Point Research (CPR), found that cyberattacks have risen by 38% in 2022 compared to the previous year, with an average of 1,168 weekly attacks per organization being recorded.

These results align with our findings, that in the past two years, a shocking 88% of organizations have reported being compromised by a cyber incident, and the trend shows no signs of slowing down. With budgets being cut across the board, it’s crucial that cybersecurity remains a top priority. 

But, there is a glimmer of hope amidst the uncertainty. Our research shows some promising findings: 92% of organizations are raising their IT security budgets and 86% are raising their pentesting budgets. Approximately a third of respondents plan to increase these budgets by more than 10%. 

It seems that the issue of security is taken seriously and that the value CISOs and security experts are bringing to the table is recognized and appreciated.

The Changing Landscape of Pentesting: Insights from the Latest Report

Not too long ago, if you were to ask a security executive what was the top reason for conducting pentesting, they’d tell you it was meeting regulatory compliance. Checking the boxes was common practice among many CISOs, however today, we’re seeing an evolution from regulatory-driven to security-driven practices. Our report finds that the top motivators for pentesting according to security executives are:

  • The need for security control and validation
  • Satisfying cyber insurance requirements
  • As a means for assessing the potential damage of an attack

This shift in drivers and triggers for pentesting is a clear sign of the growing maturation within the cybersecurity industry and the growing understanding of the value the adversarial perspective brings. Security executives are now relying on pentesting as part of their strategies and plans.

Another interesting trend is the emergence of cyber insurance as a pentesting driver. In our 2020 survey, only 2% of respondents mentioned cyber insurance as a decision making factor for pentesting and that number has jumped to 36% today. This correlates to what we’ve seen with our customers, who are more conscious of cyber insurance requirements than ever before. 

The Role of Automation in Pentesting for Business Continuity

Security executives are dealing with a lot of risk, but one that they’re particularly worried about is the risk to business continuity.

With the continual updates in software and applications, pentesting should also take place frequently to ensure coverage and relevance. Yet, 45% of respondents who conduct pentesting are alarmed by the potential risk to business applications or network availability when pentesting. This prevents them from increasing their pentesting frequency. Another barrier to increasing pentesting rates is the lack of manual pentesters.

Organizations want to test more, but lack the tools needed for such frequent testing.

This is why automation is so important: it allows you to test an infinite number of scenarios without putting your network at risk.

The Benefits of Continuous Pentesting with Automation

Despite the growing need for pentesting, some organizations are still struggling to get the job done. According to our survey, only 15% of organizations run automated pentesting. 39% run manual tests on their own and 42% use a third party service. 18% don’t run pentests at all.

Pentesting automation can help bridge these gaps. Automation enables continuous pentesting in an efficient manner since it does not rely on manual testers and it can run swiftly to avoid business disruption.

There is even more room for optimism. By the end of 2023, nearly all, 96%, of security executives are expected to have an in-house red team. 67% already have one and 29% plan to. These teams can also help increase pentesting scope and velocity.

Defense-in-Depth: Is it Still the Best Strategy?

When it comes to cybersecurity, defense-in-depth is still the most widely used strategy. 92% of organizations utilize this approach, with only 6% of organizations having less than 10 security tools in place. 

Yet, the prevalence of cyber attacks shows that this strategy, or the way it is implemented, is not effective. Pentests, for example, are carried out by most organizations only once a quarter, at best. Half of organizations run pentests only once or twice a year.

This means that most organizations are not testing their defenses enough to know whether their security strategies are effective.

This is why we created this report: so you can learn about how other companies are dealing with these issues and how you can adjust your own security strategies to modern digital needs. 

We hope that our State of Pentesting 2023 Report helps guide your decisions as you determine how best to increase your security posture and transform your stack into something more relevant and effective for today’s digital world.

Read the entire report here.

Written by: Chen Tene
Show all articles by Chen Tene
Learn more about automated security validation
Resource center
Get blog updates via email
Trending
Four steps the financial industry can take to cope with their growing attack surface
Four steps the financial industry can take to cope with their growing attack surface

The financial services industry has always been at the forefront of technology adoption, but the 2020 pandemic accelerated the widespread use of mobile banking apps, chat-based customer service, and other digital tools. Adobe’s 2022 FIS Trends Report, for instance, found that more than half of financial services and insurance firms surveyed experienced a notable increase […]
The elephant 🐘 in the cloud
The elephant 🐘 in the cloud

As much as we love the cloud, we fear it as well. We love it because cloud computing services of Amazon, Azure, and Google have transformed operational efficiency and costs, saving us money, time, and alleviating much of the IT burden. We also fear it because as companies moved to the cloud, they found that […]
A new era of tested Cloud Security is here
A new era of tested Cloud Security is here

Cloud computing has fundamentally changed how we operate. It’s efficient and scalable, but it’s not without some problems. Security is the biggest. As we’ve shifted to the cloud, we’ve exposed ourselves to new risks that can’t be ignored. The IBM Cost of a Data Breach 2023 Report points out that 11% of breaches are due […]
Learn more about our platform
Platform