In its State of Pentesting Report, Cobalt reveals an industry struggling to balance the use of AI and protecting against it, while facing significant resource and staffing constraints.
Pentesting plays a key role in addressing this challenge, equipping organizations with the ability to more frequently security test critical assets, expanded environments, and proliferating cloud applications.
Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year, aligning with increases in Common Vulnerabilities and Exposures records.
Findings indicated that the median time to fix vulnerabilities also increased compared to previous years.
In addition to its pentesting analysis, the report also includes a survey of more than 900 cybersecurity professionals across the U.S. and U.K. The study digs into how cyber professionals are balancing internal staffing and working with external partners, the push-pull of AI as both a tool and a threat, and the challenges the C-suite faces to lead change.
The study highlights the push-pull relationships cyber security teams have with AI. 86% cite their teams having adopted AI-powered tools, while seven in ten respondents also cite an increase in threats coming from AI. Throughout 2023, Cobalt performed increasing pentests on AI systems, primarily on software products incorporating AI-enabled chatbots to improve user experience.
The most common vulnerabilities uncovered included prompt injection, model denial of service, and prompt leaking.
Despite the increased investment, 59% of teams worry they are still behind the AI threat.
The report captures the reality of significant industry layoffs and uncertainty that plagued 2023 and the hangover effect layoffs continue to have on threat levels.
31% of respondents said their organization conducted layoffs during the past six months, and of those agree their organization faces greater cyber risk due to those departures.
If not addressed, cybersecurity teams are looking at further losses, as 29% of those who have been impacted by layoffs/resignations say that they currently want to quit their jobs.
Most concerning is that there are no signs of a strong staffing recovery.
Nearly one-third of respondents report being on a hiring freeze, and 29% expect to do more layoffs still this year.
Looking at the data, Cobalt sees an increase in the overall volume of high and critical severity findings of 39% year over year.
This is leading many companies to look at how they will utilize partnerships and vendors to improve security measures, with 59% agreeing they will increase pentesting in 2024.
As attacks rise, C-suite executives increasingly find themselves at the top of the accountability and liability food chains.
It's clear that respondents are feeling this pressure; C-suite is 31% more likely than non-C-suite to say the industry environment is impacting their mental health, and 51% more likely to say it's impacting their physical health.
Like their staff, they cite challenges balancing talent shortages and budget constraints against both increasing and emerging threats.
Despite these challenges, C-suite leadership is proven to be critical to cyber security, with 23% noting that C-suite leadership is more critical than budget to preventing attacks.
Pentesting remains a reliable way to identify both historic and nascent vulnerabilities within applications and systems, and security teams should maintain their commitment to regular pentesting as technology and cybercriminals advance in tandem with one another.
This Cyber News was published on www.helpnetsecurity.com. Publication date: Thu, 09 May 2024 16:13:06 +0000