Brendan Smith on the Pitfalls of Traditional Pen Tests and the Need for Relationship-Based Cyber Security

In recent years, there has been a shift in how organisations approach penetration testing.

While pen tests have traditionally provided value by identifying strengths and weaknesses in defences, organisations now tend to rely on them for compliance or (worse) to produce a single score for the board, rather than as a tool for actionable security improvements.

An issue is that pen testers themselves often specialise in certain areas and may not thoroughly test other potential weak points. Additionally, organisations may limit the scope of pen tests, focusing only on specific assets or areas, overlooking other potential attack vectors. Consequently, they may miss vulnerabilities that attackers exploit, leading to breaches despite receiving favourable pen test scores.

In this context, the industry should move towards a more holistic cyber security approach that covers all potential vulnerabilities. Companies must broaden the scope of their pen tests to reflect real-world attack scenarios. Breaches often occur due to factors beyond specific vulnerabilities, and comprehensive testing is essential for effective security posture.

Requirements and norms often dictate the frequency and scope of pen tests. While budget constraints sometimes play a role, most organisations are able to prioritise pen tests due to compliance obligations, rather than cost concerns. Organisations would have no problem allocating more budget if the value of these tests were clearer, Brendan believes.

Unfortunately, in reaction to this, the industry tends to prioritise sales and standardised offerings over understanding clients’ unique requirements. However, delivering value and building long-term relationships is so much more important.

In fact, we need relationship-based services in which trust and open communication with security providers allow for a deeper understanding of specific needs. Effective security measures should improve a client’s overall security posture, not just produce reports with high scores.

It is important to focus on people and values rather than solely on technology. While automation has its place, experienced security professionals can bring creativity and critical thinking to the table, something automated tools currently lack.

Cyber security leaders should support, guide, and empower passionate professionals to continue developing without stifling them with bureaucracy or irrelevant objectives. It’s crucial to foster an environment where they can thrive and grow in their expertise.

In his role, Brendan focuses on understanding needs and facilitating access to others’ expertise to ensure value is created. This involves educating clients on the significance of what is being delivered and ensuring that any actions, such as pen testing, result in tangible improvements in security posture and governance maturity.

Many existing Security Operations Centers (SOCs), in-house and managed, could be more effective. Even when using top SOC providers, Brendan’s experience was that they instilled minimal confidence among executives and security professionals alike.

It’s not entirely the providers’ fault. Managing a SOC is inherently challenging, especially with diverse client telemetry and numerous security tool formats. The traditional SOC model has merits but struggles to keep pace with modern cyber threats and organisational needs.

Given the limitations, an alternative is establishing a higher-skilled security operations team instead of a dedicated 24×7 SOC.

There have been notable advancements in SOC technology, with some major providers leveraging AI and automation. However, for most organisations, a Managed XDR (extended detection and response) solution may be more beneficial. These providers can efficiently handle vast amounts of telemetry and construct a robust security platform, which is increasingly necessary given the rapidly evolving threat landscape.

It is nigh-on impossible to have everything fully patched and secure, Brendan emphasises. So it’s critical that as well as working towards this challenging goal, organisations must also focus on other aspects of security, particularly the response and recovery strategy. All to often these domains are ignored.

While detection and protection strategies are often covered, response and recovery planning must be addressed better. Part of the issue and complexity lies in the necessity for security teams to engage with business stakeholders to evaluate the impact of incidents and facilitate system recovery. 

However, striking a better balance between ‘detection and protection’ and ‘response and recovery’ is crucial. This ensures that when an incident occurs, and systems are compromised, the organisation can swiftly recover without enduring catastrophic losses. 

Pen testing remains valuable within the broader security context. Like vulnerability scanning, patching, and compensating controls, it’s a piece of the puzzle, not a silver bullet. Organisations shouldn’t rely solely on pen tests for a complete security picture.

Instead, embracing diverse security testing methodologies is essential. Inviting red teams or specialists for specific areas can provide additional, valuable insights. The goal should be to comprehensively understand the security posture and look at managing risk as a process, not a checkbox exercise.

Are you looking for a cyber security team that prioritises relationships and strives to drive value with every engagement? Drop us a line. 

If you want to learn from more top cyber security experts, check out our blog, watch our interviews, and follow us for updates.