As the frequency of cyber-attacks increase and businesses adopt more distributed workforces, the focus on cyber risk management has expanded beyond the purview of Chief Information Security Officers ("CISOs") to a much broader group of stakeholders who face indirect exposure to cyber risks (i.e. CEOs, boards, shareholders, regulatory bodies, cyber insurance providers, partners/vendors, etc.). These stakeholders expect enterprises to be able to assess their cyber risk at any given moment and quickly remediate their exposure to critical vulnerabilities. However, continuously validating security efficacy is becoming even more difficult against a growing attack surface.
Historically, there have been two main approaches to addressing this issue: manual penetration testing (“pen testing”) and the use of vulnerability management ("VM") scanners. Manual pen tests are time-intensive and cost-prohibitive to run more than once or twice a year, leaving enterprises with a lack of visibility between tests. On the other hand, VM scanners (such as Qualys and Tenable) run continuously but fail to provide the depth of prioritization required to focus remediation on the vulnerabilities that can be meaningfully exploited.
Our diligence suggests that continuous testing is one of the top priorities for organizations today and that the market is headed towards automated pen testing and security validation as the industry best practice.