This post is part of our 2023 cybersecurity prediction series.
Dave Gerry, CEO of Bugcrowd
The Shift to Continuous Pentesting Will Only Increase
For years, penetration testing has played an important role in regulatory compliance and audit requirements for security organizations. However, a longtime challenge with pentesting has been the “point-in-time” nature of the tests. At some pre-defined period-of-time, the test is completed against the then-current version of the application and a report is delivered. The challenge is that application development has changed significantly in recent years and often by the time a pentest is completed and the report is delivered, the information is already out of date due to changes in the application.
Over the coming year, we will see an accelerating shift from traditional pentesting to more PenTesting-as-a-Service (PTaaS). Rather than point-in-time assessments, organizations are leveraging pentesting as an important tool in their risk and security program, rather than a necessary-evil to maintain compliance with internal or external requirements. By completing incremental testing on the application, security organizations can gain current and ongoing visibility into the security posture of the application as the smaller scope allows for faster testing turnaround. This enables security organizations to receive real-time information into the current security posture of the application, network, or infrastructure.
It’s important to remember that every change to a network or application, whether a major release or incremental release, represents an opportunity for new vulnerabilities to be introduced. Security organizations must maintain the ability to gain real-time visibility into their current posture – both from a risk governance perspective and from a compliance perspective.
A Growing Need for Security Vendor Consolidation
The rapid expansion of new security products has led to many organizations purchasing the “latest and greatest” without having a strong integration plan in place. Without a clear deployment and integration plan, even the best security product will go underutilized. For the past few years, the industry has seen an incredible amount of M&A consolidation. As a result, security organizations are looking internally for ways to leverage existing tool sets or upgrade existing tool sets versus adding to their ever-growing technology stack. This growing need for security vendor consolidation will continue to be driven by both the cost of the security products and the limited internal resources to effectively operate the products.
Cybersecurity Talent Gap is a Training Problem, Not a People Problem
Attracting strong candidates has always been a core part of any business, and, like all businesses, finding senior talent, whether in cybersecurity or another function, requires a combination of attractive compensation, career growth, flexibility to work anywhere, and a mission that employees want to support.
It’s also important to find talent from non-traditional and diverse backgrounds, provide them with the necessary training and enablement, pay them well with additional equity incentives, and empower them to do what needs to be done. For years, we’ve been led to believe there is a significant gap between the number of open jobs and qualified candidates to fill those jobs. While this is partially true, it doesn’t provide a true view into the current state of the market.
Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential.
Additionally, this provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career and wealth-creation opportunities that they otherwise may not have access to.
Organizations need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber-recruiting, and provide in-depth training via apprenticeships, internships, and on-the-job training, to help create the next generation of cyber-talent.
###