Alarming? Absolutely.
A recent survey of CISOs and CIOs, commissioned by Pentera and conducted by Global Surveyz Research, offers a quantifiable glimpse into this evolving battlefield, revealing a stark contrast between the growing risks and the tightening budget constraints under which cybersecurity professionals operate.
With this report, Pentera has once again taken a magnifying glass to the state of pentesting to release its annual report about today’s pentesting practices. Engaging with 450 security executives from North America, LATAM, APAC, and EMEA—all in VP or C-level positions at organizations with over 1,000 employees—the report paints a current picture of modern security validation practices across the enterprise.
Key findings include:
Security Breaches Persist Despite Investments
The 2024 report reveals that enterprises have an average of 53 security solutions, yet they are struggling to maintain the Confidentiality, Integrity, Availability (CIA) triad. As part of security policies and practices, this triad protects information systems and data from various threats, ensuring that information is safe, reliable, and accessible to the right people.
This reality is underscored by the fact that 51% of CISOs surveyed admitted to a cybersecurity breach in the past two years. Such breaches have led to significant operational disruptions, including unplanned downtime, data exposure, and financial losses. Only 7% of enterprises avoided substantial impact resulting from a breach. These incidents demonstrate the importance of having strong cybersecurity defenses.
Enterprises experienced a nearly equal distribution of attacks across their IT infrastructure; including remote devices, on-premise, and cloud environments, pointing to the need to regularly test and secure each of these domains. The heightened profile of the cloud as an attack target is consistent with other industry reports. Crowdstrike’s Global Threat Report for 2024 reported a 75% increase in cloud intrusions YoY. They projected that in the coming years, as more organizations progress with their cloud migration efforts and shift toward predominantly cloud or cloud-native deployments, this figure will increase.
Increased Executive and Board Involvement
In light of high-profile breaches making headlines, there’s a notable surge in cybersecurity oversight from the top. Over half of the CISOs now regularly report pentest outcomes to their boards of directors, highlighting the strategic importance of cybersecurity to the enterprise. CISOs are increasingly using pentest reports as a way to better communicate cybersecurity risks to their executive teams and boards.
Additionally, 31% of CISOs share pentest outcomes with customers, acknowledging the importance of transparency in managing third-party and supply chain risks. Adopting this practice not only builds trust but also promotes a culture of openness about cybersecurity challenges and measures.
Closing the Pentesting Gap
The survey highlights a disconcerting gap between the frequency of IT environment changes and the cadence of security testing. While 73% of organizations report making quarterly IT changes only 40% match this pace with their pentesting efforts. This leaves organizations open to risk for extended periods.
On average, enterprises dedicate $164,400 to manual pentesting, representing 12.9% of their annual IT security budget. With 60% of organizations pentesting twice a year at most, this is a large investment and a sizable portion of the budget for a security activity that provides just a snap-shot assessment of the security posture. Given the importance of pentests towards improving IT resilience, it’s worth considering solutions that provide scalable continuous pentesting.
Patch Perfect Isn’t Realistic
Beyond remediation activities, security teams are tasked with a diverse set of responsibilities that stretch them to their limits.
Against this backdrop, companies are flooded with security events. With over 60% of enterprises reporting they receive at least 500 incidents requiring remediation weekly, patch perfection has never been more elusive. It’s increasingly clear that the art of prioritization is one that security teams will need to learn to keep their organization’s well-protected. Security teams who are able to efficiently understand the context of a vulnerability, its compensating controls, and the data it leads to will be the ones to stay in the game.
What do These Findings Mean?
The State of Pentesting Survey of 2024, by Pentera, underscores a critical juncture for cybersecurity: As threats continue to evolve, many security solutions fail to mitigate them, requiring CISOs to more consistently validate the security of their infrastructure.
The insights from this survey are not just statistics—they are a call to action for better, more efficient cybersecurity practices that align with the financial and operational realities of our time.
Unpack key findings from the 2024 State of Pentesting Survey in this webinar. Join us as we explore the findings, discuss strategies to manage cybersecurity, prioritize tasks, and learn how to communicate your security posture to leadership more effectively.
Download the 2024 State of Pentesting Survey or register here to attend the live webinar.
Written by: Pentera Research