Penetration Tests Not Elon Musk Science
Do you think Elon Musk is designing a new Tesla model or SpaceX rocket without considering that his new technology must have the best systems security? When you are the top leader in your industry, even in technology innovation, someone will always try to negatively impact your brand, or steal your secrets. You better believe every piece of software or hardware designed into Musk’s products or creations is tested for vulnerabilities and defects. This is one of the reasons why we don’t hear any of his brands headlining in cyber breach news reports. The question is why wouldn’t you do the same for your business?
Whether you been breached through an incident, or an auditor is asking for the latest organizational cyber risk report, the result means countless hours and many discussions. In most cases, delivering a cyber threat assessment report from a penetration test can cost way more than what your budgeted for, and result in difficult conversations. However, there’s a secret that most cyber security experts don’t want to share. It’s not rocket science.
Before funding and approving a penetration test here are some things to consider in order to make it a quick and painless experience rather than a root canal type.
Understand and be scope specific on what’s being asked by the auditor, risk officer, board, or management. Don’t try and boil the ocean, you don’t have the time or resources. Don’t try to overachieve or under deliver, doing either will result in more work and unnecessary conversations.
Understand the tools used and the work that will be required by your team to launch, support, and conclude the penetration test. Getting to know the tools gives you a good sense of the complexity involved, the amount of time it will take to complete, and the frequency the process can be repeated. Some tools allow you to stand up the environment and leave it in place for more frequent tests to measure the remediation progress.
Always review sample cyber threat assessment reports before approving a project. The reports should identify your IT ecosystem, the specific vulnerabilities in systems or infrastructure components, risk factors, recommended and plan remediation steps, best practices, and penetration test execution evidence. If the report lacks any of these elements your most likely going to have more conversations on the gaps.
Some organizations think they don’t need a Penetration Test
This is always a fun conversation because some IT managers or executives believe that their industry is excluded from any real cyber threat attack, disruption to their operations, or any business risk. Here are some common responses we’ve heard:
- Our environment is not complex
- We have no issues with our technology assets, services, and applications
- We don’t have any customer data
- Our IT department has a good handle on it
- We just got a new router, firewall, virus protection, etc.
The excuses to justify not doing a penetration test can go on forever, but the reality is none of these are valid reasons, especially after a breach, ransomware, or failed audit. Securing your infrastructure and data is not something that is completed at a moment in time, it’s an ongoing practice. We take a step forward, measure the results, improve, and take the next step. Like a newborn child, they first learn how to turn over, crawl, stand, then walk. Even adults, who are proficient at walking stumble at times, but the idea is to learn from those experiences and move forward.
Without truly understanding the vulnerabilities in operating systems, appliances, or applications there is no real way to identify, resolve, and protect your brand. Organizations must take a step back and be honest while asking the question “what would happen to our business if we lost power, access to email or data, patient data stolen, or assembly line shutdown for 1 hour, 1 day, or 1 week?”.
Every business in any industry can be impacted in this digital age. Elon Musk’s stock price and market share proves that he often makes the right decisions, not because he is our generations Albert Einstein, but because he leverages the knowledge of his team and their experience and trusts them. You can certainly bet he is constantly scanning for vulnerabilities and improving them through his design process, but he also knows his team’s limitations and understands when to leverage experts.