Experiencing a Security Breach?
contact@prisminfosec.com +44 (0) 1242 652 100 +44 (0) 1242 652 100

LATEST CYBER SECURITY NEWS AND VIEWS

Home > News > Regulators and Threat-led Penetration Testing

Latest news

Regulators and Threat-led Penetration Testing

Posted on by Prism Infosec

I will say up front in this article that we appreciate that as a supplier in the field of cybersecurity our thoughts can hardly be claimed to be unbiased – we benefit from regulators enforcing Threat-Led Penetration Tests (TLPT, otherwise known as red teaming).

In previous blogs we have mentioned that security is viewed as a cost centre, a drain on resources as when it is working, it is often invisible and does not appear to add any benefits. We’ve also made the point in previous blogs that many businesses underinvest in security testing as they believe they are too small to be victims or underestimate the risks. We’ve also made the point that in too many cases, security is seen as a box ticking exercise – controls reduced to trick boxes for auditing.

All of these are true, and in the vast majority of these cases, they occur in business and industry where there are no regulators, or the regulators are not empowered to drive investment in cybersecurity. The ironic thing is, that every regulated and unregulated firm (and we speak specifically of Government departments here), that conduct TLPT engagements come out of them with a monumental attitude shift. Yes, it often identifies areas that require investment, however the cost for a TLPT can be many times lower than the cost of a breach; and suddenly knowing where your blind spots are and being able to suddenly do something about them is invaluable.

Given our role as an accredited TLPT supplier, our relationship is not with the regulators; it’s with our clients. We do have responsibilities under the regulator schemes to report if the schemes are being abused by clients; but ultimately, we work for our clients – we want to help them solve problems and become stronger. Furthermore, TLPT engagements, red team or not, are not pass or fail engagements – they are there to help improve organisational resilience. The regulators know this, and they fully support this message, and even ask us, as suppliers to underline this to our clients.

Ironically, the more we do of these, in theory, the less our clients should need us as they improve their detection and response controls and increase their resiliency to attack but regulators will always want to see independent verification of those controls. However, if we look at the regulator schemes, (TIBER, CBEST, etc) and even legislation like DORA, you will note that these events should occur only once every three years. This is to give organisations time to address issues and improve their resiliency between tests, but this does not mean orgs cannot independently test themselves in between the regulated engagements.

So regardless of if you are in a regulated industry or not, consider the benefits to your organisation in identify and being able to address your cybersecurity risks, improve your resiliency, and even help your insurance premiums by showing you are conducting due diligence. Security is not a competitive advantage, but does make all the difference to a business’s survival.

If you’d like to explore how Prism Infosec can help you address your cybersecurity risks, feel free to get in touch.

Prism Infosec: Cyber Security Testing and Consulting Services

FILTER RESULTS

Latest tweets

Prism Infosec @prisminfosec ·
16 Dec

A great conference @BSidesLondon, thanks for having us at #BSidesLDN2024! Looking forward to continuing the relationship next year!

Prism Infosec @prisminfosec ·
26 Nov

Prism Infosec is proud to be a gold sponsor of @BSidesLondon 2024! Come and visit us on our stand and join in our cyber scavenger hunt! #CyberSecurity #bsides

Sign up to our newsletter

  • Fields marked with an * are mandatory

  • This field is for validation purposes and should be left unchanged.