Penetration testing is now a permanent requirement in most governance frameworks from NIST to PCI DSS, making it a mandatory step in the annual budgets and operations. While most understand a penetration test is necessary in order to meet their client and regulatory requirements for the year, there is little knowledge on what these tests actually accomplish for the organization and how they are conducted. In addition, an industry-wide consensus of what defines a true penetration test does not exist, creating further confusion.
The results many receive from their organization’s penetration tests are often not meaningful and insufficient to minimize cyber risk. Companies often receive a basic vulnerability scan that was sold to them as being a penetration test, or overly simplified penetration test with results showing a pie chart with OWASP (Open Source Web Application Security Project) vulnerabilities.
Some may think these limited approaches are acceptable and some were acceptable years ago, but we operate in modern times with a heightened level of cyber risk. A modern and effective risk identification approach is now required for a penetration test to be valid.
Silent Sector takes a comprehensive and tailored approach to defining cyber risk. Click Here to read our Cyber Risk Assessment Overview and learn more about Silent Sector's approach to identifying and reducing cyber risk.