Skip to main content

Avoiding the pitfalls of an ordinary Security Assessment

October 18, 2012

How about taking a different approach to the ordinary Vulnerability Assessment or Penetration Test? It’s time to start thinking outside the compliance checkbox.

When thinking about the numerous challenges our clients face in developing a mature, effective Information Security Program for their company, a few key items always bubble up, which include rationale and budget for Security Assessments.


One common theme we often encounter is how to convey to decision-makers the importance and criticality of performing in-depth vulnerability assessments and penetration tests throughout the year. The thing that is often overlooked is the actual reason a company needs to perform these assessments – it’s all about understanding what and where your risks are, and whether the controls that are in place are effective. But it doesn’t stop there, because once you’ve identified the risk, it’s imperative to execute on a remediation plan and, just as importantly, retest to ensure the circle is complete. Lastly, you need to convey that message to your organization along with tangible metrics in order to demonstrate progress.


Having a recurring line item in your budget for annual security assessments is going to be a lot less expensive than the cost of an actual breach. Think about the damage to your company’s brand or reputation, the costs associated with notifying customers and shareholders, and the overall impact on your IT department for recovery and remediation from a breach. Combined, these costs will easily exceed the expense of comprehensive, proactive testing tenfold.

It’s important to note that Vuln & Pen testing is not a guarantee that your environment is secure, but rather it’s one component of an overall program and a prescriptive measure that helps identify and mitigate your risk posture.

When it comes to Vulnerability Assessments and Pen Tests, one of the biggest misconceptions is thinking that “I only need to assess my Card Holder environment”. The issue here is that malicious attackers don’t limit their bad intentions to a single range of handpicked IP addresses/systems, or that they only attack after business hours – in their minds, everything is fair game at any time!

Please don’t limit yourself to “cherry picking” and only concerning yourself with meeting the minimum requirements of a compliance initiative. Expand your scope to include all external-facing systems, internal systems and probably most importantly, the human factor. Social Engineering is one of the most effective techniques used to gain unauthorized access to your sensitive and proprietary company data, and it’s the primary attack vector used by the most successful hackers all over the world.


According to the results from CSO Online’s 2012 Global Information Security Survey, out of 12,052 respondents, only 47 percent have Threat & Vulnerability Assessments in place in their enterprises, and of that number, 28 percent outsource this effort and 18 percent have nothing in place. From that same survey, 40 percent have a pen testing program, 32 percent outsource this and 22 percent are doing nothing. So what this tells us is less than half of the respondents in this use case, which is probably a fair representation industry-wide, are actually being diligent and adequately assessing their environments on a recurring basis.

The Security Assessment process should always be considered a lifecycle project that doesn’t simply stop when vulnerabilities are identified or limited to checkbox compliance, but rather followed thru to completion while also keeping in mind that your enterprise will inevitably change within days, weeks or months as a result of implementing new technologies, upgrades, migrations, routine maintenance, patch management and more.

The FishNet Security Assessment Team is one of the leading firms in the world, performing Security Assessments for Fortune 100-1000 clients as well as the SMB market. Please contact your local sales representative for more information on our assessment offerings and portfolio. Let us do the work for you so your IT security department can focus on other initiatives and priorities.

Related Blogs

December 02, 2011

Security Assessment Pitfalls | Optiv

FishNet Securitys Assessment Team has delivered on thousands of projects involving Vulnerability Assessments, Penetration Tests, Wireless Security Ass...

See Details

May 20, 2013

Tip of the Spear: Phishing or SpearPhishing?

Ever wonder what the difference between phishing and spearphishing is? What about whaling? As someone in the information security business, I get ask...

See Details

March 14, 2018

Observations on Smoke Tests – Part 1

Smoke testing in the traditional definition is most often used to assess the functionality of key software features to determine if they work or perfo...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Related Insights

October 18, 2012

Avoiding the pitfalls of an ordinary Security Assessment

How about taking a different approach to the ordinary Vulnerability Assessment or Penetration Test? It’s time to start thinking outside the compliance...

See Details

October 11, 2017

Managed Vulnerability Services

Optiv’s managed vulnerability services identify, prioritize and reduce network vulnerability exposure.

See Details

March 29, 2017

Attack and Penetration Services

Learn how our experts work to expose weakness to validate your security program.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cyber security Events in your area.