Innovation and Consistency: The Right and Left Brain of Vulnerability Management
Pentesting has attracted a workforce filled with intensely creative and highly curious technical minds. Ironically, however, we see vulnerability management programs advance and accelerate when creativity is paired with a framework that drives quality and consistency. Is this an indication that our industry has matured to the point that the level of innovation is diminishing? Far from it. In fact, the best cybersecurity programs and providers incorporate and embrace both innovation and consistency.
Innovation Remains Mission Critical
First, it’s important to understand that there are a couple ways to define innovation. The first, of course, is through the lens of creativity and disruption. Attackers don’t have any boundaries when it comes to figuring out how to exploit a program or system; neither should cybersecurity teams. Finding new ways to break things is a critical part of the job.
A second way to define innovation is more pragmatic. While companies need to address large volumes of vulnerabilities and develop strategies to remediate them, most security teams are faced with doing more with less due to budget restrictions, lack of resources, and other constraints. The only way to accomplish this is to adopt some level of automation. Moreover, automation is critical for handling mundane or repetitive processes to free up time for humans – pentesters, developers, and others – to exercise their creative minds. As in any industry, automation enables people to perform at their highest potential, and when used correctly, it becomes a force multiplier.
Consistency Plays a Vital Role, Too
As partners to large corporations and other organizations that have extensive testing programs, we must have consistency in our testing approach. When we find a new vulnerability within one client’s environment, our consistent, systematic process enables us to add that one vulnerability to a checklist for each and every test we do in the future, regardless of the individual tester. This process frees up time for our team of pentesters to be more innovative in finding ways to exploit a program or system, while also ensuring as much coverage as possible.
Another way to approach consistency is through more regular testing for vulnerabilities instead of performing a pentest on your network as an annual compliance tool that results in static PDF reports with out-of-date vulnerability information. As a best practice, vulnerability management measures should employ continuous monitoring, with real-time reporting that enables companies to remediate vulnerabilities as quickly as possible. This new paradigm, known as Penetration Testing as a Service (PTaaS), employs both automated scanning and manual tests that dive deeply into applications and networks.
Striking a Balance Between Innovation and Consistency
How our industry maintains the balance between innovation and consistency should start with our people. While it may seem easier to screen for skills versus personality, the goal is to look for people that can not only think like an attacker, but also excel within a framework that supports individual agility, and leads to a consistent and high quality outcome. A tip? Search for individuals who have an interest in information sharing and bettering the larger security community; those who develop new tools (or improve existing tools) and participate in continuous learning in their free time typically have the capability to be extremely innovative. With a well-rounded workforce and mindset, organizations can gain an edge on their competition, disproving the notion that who you get determines the quality of the services delivered.
To be successful in the world of vulnerability management and pentesting, it’s critical that providers offer a balance between creative disruption and methodical, systematic structure. Together, both right-brained and left-brained talent and solutions result in the very best tests that help organizations stay ahead of ever-changing attack surfaces.