Security Management

Security Testing Lags Behind IT Changes: Survey

A vibrant blue padlock security icon lights up within a shield, surrounded by complex tech circuitry, underscoring robust digital protection.

There is a significant gap between how often enterprises make changes to their IT environments and the frequency of their security testing, according to a new report from Pentera.

Pentera released the findings from its third annual survey, the State of Pentesting 2024.

The report shows that while 73% of enterprises report changes to their IT environments at least quarterly, only 40% conduct pentesting with the same regularity. This discrepancy poses a risk, as it leaves organizations vulnerable to security breaches for prolonged periods.

The survey draws on responses from 450 CISOs, CIOs, and IT security leaders from large enterprises globally.

Investment and Impact of Security Testing

Meanwhile, enterprises are investing heavily in security testing, with an average spend of $164,400 annually, nearly 13% of their total IT security budgets. Despite this investment, the report reveals that 60% of organizations perform pentests only twice a year or less. 

This infrequent testing provides only a snapshot of an organization’s security posture, potentially overlooking emerging vulnerabilities, according to the study’s authors.

The survey also finds that over 60% of enterprises face a minimum of 500 security events requiring remediation each week. The goal of becoming "patch perfect" is increasingly unrealistic, the authors write, as organizations struggle to manage the sheer volume of security issues.

Over the past 24 months, 51% of enterprises reported experiencing a breach, highlighting the challenges of managing a large array of security tools effectively.

Overcoming Obstacles to Pentesting

In the past, penetration testing was a contract-based, complex effort that organizations often struggled to carry out more frequently than a few times a year. But innovation and access to penetration testing as-a-service (PTaaS) has made the practice much more accessible, and provides opportunities for MSPs and MSSPs to offer these services to customers.

Pentesting solutions vendors like Pentera, HackerOne, BreackLock, and Cobalt that deliver PTaaS platforms enable organizations to perform a penetration test daily or even as frequently as after each code change. While cloud penetration testing identifies security gaps in certain cloud environments, PTaaS facilitates more frequent testing across all environments.

Additional Insight

Jason Mar-Tang, field CISO at Pentera, commented:

"The results of our latest report are indicative of the increasing infrastructure complexity of organizations today and the rising challenges that security teams face along with it. Close to a third of CISOs who cited a breach reported financial loss and data exposure, while 43% reported unplanned downtime as a result of the breach. Attack surfaces are more dynamic than ever and resources are limited, making it even more critical for organizations to proactively validate their risk exposure with accuracy and pinpoint exploitable gaps across the complete attack surface."

About Pentera

Pentera provides automated security validation. Pentera's solutions are used by thousands of security professionals and service providers worldwide.