In the age of digital transformation, business and consumers are enabled in more ways than one can imagine. Entire industries are metamorphosing, and while it could be for the best, success comes with perpetual vulnerability. Customers’ demands are evolving and in turn demanding that business follow suit. This has seen an uptake of new technology architecture like microservices, serverless solutions, and containers.
Even though switching to the cloud gives an organization scalability and cost effectiveness, it requires an advanced form of cybersecurity. Today, the majority of data in an organization and its customers is stored on cloud. It is more susceptible to cyber-attacks.
While CISOs continue to safeguard their organizations’ data, a conversation that has preoccupied many minds on the platform is whether companies are willing to outsource penetration testing and vulnerability assessment or find a holistic solution by building an in-house team. “I’ve seen both. It totally depends on the company size and how often you need this type of service. If you have a continual need, it makes sense to build an in-house capability. If you have set time periods or gates that you need to hit and can control the scope and cost, it makes sense to outsource or do it on demand” says Lee Vorthman, Senior Director of Global Security Engineering and Architecture at Pearson.
Organizations across industries, when moving to the cloud, have a hybrid approach of running off multiple cloud platforms. In this case, there has to be a more solution based approach to cyber security.. Franz Allan See, CTO at Uploan PH says outsourcing cyber-security to third parties will always be required across industries. “Not all companies would need it, but if, for example, you’re in fintech, then you definitely need a 3rd party to do pen testing against your system. That way, you can claim that a 3rd party has verified and certified your system secure. However, if you do this without doing continuous testing yourself via your internal team, then the engagement with that vendor would be longer and more expensive.”
On the other hand, the cyber security market is becoming oversaturated. 3rd parties are coming up with holistic solutions and as they advance and evolve, the attackers just need to find that one vulnerability for exploitation. Douglas Ljung, Director of Information Security at Yapta explains, “I do 3rd party scans (Daily Vul — Annual Pen) in Product and SDLC for validation that I’m not making the results look wonderful. I also perform ad hoc scans internally a few times per year to further supplement the 3rd party scans. I change up 3rd party vendors every few years. This has provided me with better results as not all scans are equal and it keeps me fresh on what is out there.”
The question now arises: when outsourcing, what should a CISO look for?
Douglas Ljung says that he goes by prioritizing quality, looking for reliability of results. Next in line, he says, is price which depends on the appetite of the organization. Reputation, ease of use, and reporting features are also equally important if you go by his list.
It is true that cyber security will always remain a hot target. As organizations continue to evolve technologically and move to a multi cloud approach, outsourcing penetration testing and vulnerability assessments is a smarter choice to patch vulnerabilities. The fact that more and more CISOs, CIOs and CTOs are taking that route, explains the saturation in the market.
Food for thought? Think out loud here so the community can benefit from your expertise!