Penetration Testing

“Keeping Up with the Joneses” Should Not Be Your Network Security Strategy

Reading Time: 2 minutes

Last Updated on October 22, 2019

Network Security Strategy
As homo-sapiens we are naturally competitive creatures. Although evolutionally this has helped our species in numerous ways, there are a few times where it bites us right in our highly evolved butts…
When we perform network vulnerability assessments and network penetration tests, the one thing we’re most frequently asked is: “How does our security posture compare to other businesses you’ve tested?”
I think comparing one’s business to others is usually just a way to feel better about one’s security program, rather than understanding how to improve it. It’s like that joke about not having to outrun the bear… just the person running next to you. If your neighbors leave their doors unlocked, is that a smart standard to gauge your security against?

“The way to feel good about your security posture is to verifiably improve it”

For example, we often discuss the comparative strength of a client’s security posture in relation to Common Vulnerability Scoring System (CVSS) scores. This system scores vulnerabilities on a 0-to-10 scale. You could have a decent average score across your vulnerabilities, but still have several severe critical vulnerabilities in the mix.
So you might think you’re doing “comparatively” OK… but it only takes one critical vulnerability to sink your ship. This is why we encourage clients to use the data we give them to prioritize remediation of their vulnerabilities, not to compare themselves to industry peers.
Comparisons or benchmarks may be helpful in securing funding for an information security program, or to help convince customers, regulators or other stakeholders that your security is acceptable. But it’s a slippery slope to think that being “more secure” or “as secure” as other companies actually means your data is safe.
The way to feel good about your security posture is to verifiably improve it—especially be remediating your most critical vulnerabilities. Otherwise you might develop a false sense of security that could leave you exposed.
To find out how secure you really are, and how best to improve your security posture in line with business goals, contact Pivot Point Security.

Are You Ready for a Network Pen Test Inforgaphic ThumbnailIs a penetration test really the service you need?

Without good Asset, Patch & Vulnerability management in place, a network penetration test could be a big waste of time and money.

Download the free infographic now!

Back to list

Related Posts

One thought on ““Keeping Up with the Joneses” Should Not Be Your Network Security Strategy

  1. Blue Turtle says:

    Thanks for the post. Couldn’t agree more about improving security continually through verifiable processes. Without being able to verify what has been completed, security is flawed!

Leave a Reply

Your email address will not be published.