Cybersecurity has become the top concern for businesses globally with attacks increasing in numbers and becoming more damaging than ever. Cybersecurity and GRC are often looked at as being independent of each other, however, it cannot be denied that there is a clear overlap as far as the goals are concerned.
Cybersecurity is driven by the aim to protect company assets – a technical requirement. On the other hand, GRC is driven by the aim to comply with regulatory obligations. But at the core, both cybersecurity and GRC are crucial for controlling and managing sensitive data.
Risk Management and Vulnerability Management
According to ISO 27001, a vulnerability is “a weakness of an asset or a group of assets that can be exploited by one or more threats.” A vulnerability is different from a risk in that it is always internal. So, a risk could be hackers trying to access information whereas vulnerability is a weak password to that information.
Vulnerability Management refers to the process of identifying, evaluating, and treating security vulnerabilities. It is crucial for organizations to include vulnerability management in their security initiatives. It helps you improve controls and assess risks for taking action to strengthen security. It also helps to make your compliance programs more effective. Read more about vulnerability management in Understanding Vulnerability Management.
In the context of cybersecurity, risk management refers to managing IT risks that are related to the company’s use of technology, procedures, and processes. It aims to identify potential threats that can endanger cybersecurity and defines actions to manage these threats.
Vulnerability Management, on the other hand, refers to managing the existing weaknesses in the technology that can be exploited. It identifies the weaknesses in the controls and assets that bad actors can exploit and harm.
Risk and Vulnerability Management through Penetration Testing
Penetration testing is a very effective way to identify vulnerabilities. It also plays an important part in risk evaluations. It is helpful in determining the effectiveness of your cybersecurity programs. Let’s see what penetration testing is.
A penetration test is a controlled cybersecurity attack on your organization carried out by security experts. It is a simulated attack to identify vulnerabilities so that they can be addressed before an actual attack causes real damage.
The results from a penetration test reveal how hackers can access sensitive data by exploiting the vulnerabilities in your systems, networks, and employees. These results can help you evaluate the following:
- Existing security policies
- Employees’ awareness and resilience to phishing or social engineering
- Regulatory compliance levels
- Incident response time
- Quality and effectiveness of incident response
By exposing your organization to vulnerabilities through penetration testing (or pen testing), you are better able to assess and manage the risks. Thus, risk management and vulnerability management are vital to both cybersecurity and GRC, making penetration testing an optimum method to achieve better insights into your cybersecurity programs.
Why Penetration Testing?
Let us look at how risk management works for cybersecurity. It can be broken down into 3 parts.
- Identifying data and resources that need protection
- Identifying and managing vulnerabilities
- Identifying and managing risks
An important part of risk management is to take into consideration the vulnerabilities to assess the likelihood and impact of a risk. There is a wide range of security practices that can help you achieve this. But penetration testing emerges as the most comprehensive method.
Comparing the time, effort, and cost required for penetration testing, it gives the most conclusive results and powerful insights making it a good choice. The other reason is that penetration testing is a requirement of NIST, PCI DSS, GDPR, HIPPA, ISO 27001, SOC 2, and other regulations.
How to use penetration testing results?
Penetration testing might reveal vulnerabilities that you would otherwise have never imagined existed in your organization. It will also give you detailed insights into where the weaknesses are. This is how you can use these insights:
- Review vulnerabilities and risks: Each vulnerability exposed, and the risk associated with it must be reviewed to determine the causes. It helps to involve the asset owner, risk owners, and any other persons who are directly involved or impacted. The risks and vulnerabilities need to be quantified.
- Replicate the issues highlighted by the testing: The results from penetration testing will give you enough information to replicate the issues that the testers found. This will help you understand the vulnerability in depth and will help you take action to manage it. Replicating the issues will also help eliminate false positives.
- Determine the severity of the risks and vulnerabilities: By assigning levels to risks and vulnerabilities, you can understand the severity and prioritise further actions.
- Resolve the issues: The issues identified can be resolved using the following options –
1. Remove vulnerabilities
2. Reduce vulnerabilities
3. Manage and monitor those vulnerabilities that can neither be removed nor reduced
4. Accept vulnerabilities as part of the risk acceptance
- Implement fixes: Implement fixes related to removing or reducing vulnerabilities.
- Review the fixes: Review the results of the fixes implemented. Reviewing and monitoring the vulnerabilities and identifying when you might need another penetration test is an ongoing process.
How does penetration testing help with GRC?
Penetration test results can improve your GRC programs. Here’s how.
- It helps to evaluate the effectiveness of security policies and controls being used.
- It shows the level of security awareness in the employees thus validating the effectiveness of training and awareness programs.
- It provides insights to improve the security lifecycle.
- It provides evidence to support regulatory compliance.
- It helps in risk assessment and management.
- It helps determine the vulnerability and risk to the confidentiality, integrity, and availability (CIA) of sensitive data.
Also, penetration testing is mandated by regulations such as:
- ISO 27001, in its Objective A.12.6.1 mandates the identification of technical security vulnerabilities, evaluation of the exposure to these vulnerabilities, and measures to address the vulnerabilities. This can be effectively achieved with pen testing.
- GDPR Article 32 needs a process in place for regularly testing and evaluating measures for data security. The penetration test is the most balanced test for this.
- PCI DSS requires penetration testing to be performed at least once every year or when there are any significant changes to the infrastructure.
These are only a few examples that explain why pen tests are becoming increasingly popular. In fact, 68% of respondents in a 2020 pen testing survey said that compliance is the primary reason behind performing penetration testing.
How often should you carry out penetration tests?
Penetration tests are part of the regular set of activities you need to carry out to ensure your cybersecurity program is updated to cope with the latest risks and vulnerabilities. While some companies perform pen testing every year, some might need it every quarter.
The more tests you run, the more insights you will get into the vulnerabilities and risks, enabling you to take appropriate actions. At least 1 penetration test annually should be aimed, and more tests should be scheduled depending on other considerations.
Here are some considerations to help you decide the frequency of pen testing that is suitable for your company.
- Company size: Larger companies need penetration tests more often than smaller companies.
- Budget: A practical consideration, since penetration tests might incur high costs, larger enterprises might be able to afford them more frequently than smaller companies.
- Risk exposure: If company information has high exposure and the risk surface is also larger, penetration tests might be needed more frequently.
- Compliance: Depending on the compliance you are trying to achieve, you might need to take into account the requirements and schedule penetration tests accordingly.
You should also perform a penetration test if you are doing any of the following in your company:
- Changing office location
- Creating new office locations
- Adding network infrastructure or web applications
- Modifying end-user policies
- Upgrading information systems
- Applying security patches
Enhancing cybersecurity is an ongoing process. Penetration testing for cybersecurity is more relevant now with cyber-attacks becoming more sophisticated. With the added advantage of penetration testing helping with GRC, the test becomes one of the most effective and preferred testing methods.
Know how 6clicks can help in GRC implementation with content, AI, and automation. Get in touch with our team and take a free tour of the platform.
Related useful resources
Reflections on the GRC market: A Fireside Chat with Dr. Heather Buker
What do the Gartner cybersecurity trends for 2022 mean for CISOs?