As a company, we’ve tried to understand which organizations are most likely to mature their information security programs. It seems that the answer should be obvious: organizations with valuable assets or the need to have data highly available should be very concerned about information security. This could translate into organizations that have a lot to lose, ones that have high profit margins, or those involved with the nation’s critical infrastructure. Interestingly, this is generally not the case. In fact, the primary drivers for maturing information security within an organization are regulations or contractual standards with strong penalties for non-compliance. Why is this? One problem is that risk is very subjective. In a downturn, the risk equation can change dramatically. If you are fighting for the survival of a firm, it’s easy to justify not investing in information security. Compliance, however, is not as subjective. While there is room for some interpretation, compliance regulations and standards are stable, detailed, and consistent. This means that compliance is easier to justify, easier to plan for, and easier to assess. But while meeting compliance standards can be a very good thing, it does create a problem: risk is often left out of the equation. For example, payment card industry (PCI) data often gets more attention at hospital systems than does protected health information (PHI). Based on risk, the patient-related data and services should be classified as at least as important as the credit card information. It usually is not, however. Without a risk-based approach or a strong compliance standard like PCI, PHI won’t get the attention it deserves. (The PHI standards are being tightened somewhat, by provisions of the American Recovery and Reinvestment Act, or ARRA, passed this year by Congress.) Compliance can help speed the maturation process, and it is valuable in other ways, but it lacks the depth and breadth of a risk-based approach. Additionally, creating regulations and standards for all things that should be secured just isn’t possible. In an ideal world, organizations will take a more holistic, risk-based approach that includes compliance, but this may have to wait until the economy turns around.
PTaaS is NetSPI’s delivery model for penetration testing. It enables customers to simplify the scoping of new engagements, view their testing results in real time, orchestrate faster remediation, perform always-on continuous testing, and more - all through the Resolve™ vulnerability management and orchestration platform.
We help organizations defend against adversaries by being the best at simulating real-world, sophisticated adversaries with the products, services, and training we provide. We know how attackers think and operate, allowing us to help our customers better defend against the threats they face daily.
At NetSPI, we believe that there is simply no replacement for human-led manual deep dive testing. Our Resolve platform delivers automation to ensure our people spend time looking for the critical vulnerabilities that tools miss. We provide automated and manual testing of all aspects of an organization’s entire attack surface, including external and internal network, application, cloud, and physical security.
Our proven methodology ensures that the client experience and our findings aren’t only as good as the latest tester assigned to your project. That consistency gives our customers assurance that if vulnerabilities exist, we will find them.