Learn how Governance, Risk, and Compliance programs lay a solid security foundation, ensuring pentests validate controls.
Pentest: A simulated cyberattack (penetration test) to find vulnerabilities.
Governance: The system of rules and processes for managing organization risk and compliance.
When a client says, “I need a pentest,” our initial instinct is to jump straight into action in response to our client’s needs. However, it is crucial to first ask, “Why do you need a pentest?” This question can uncover whether a pentest is genuinely the next best step or if there are underlying governance issues that need attention first.
This discussion is not about diminishing the importance of pentesting. It remains a critical part of a comprehensive cybersecurity strategy. Instead, it is about recognizing pentesting should serve as a tool to validate the effectiveness of existing security controls, rather than as an initial step to identify what controls are needed.
Why Governance Should Come First
Consider the process of building a house. Before you start laying bricks or installing windows, you need a solid blueprint. This blueprint outlines the structure, materials, and regulations that will ensure the house is both safe and durable. In cybersecurity, this blueprint is your Governance, Risk, and Compliance (GRC) program.
A robust GRC program, such as those offered through our vCISO services, helps organizations identify and address their security and governance gaps in a way that is measurable, actionable, and trackable. It lays the groundwork for a mature security posture by establishing the necessary policies, processes, and controls.
Pentesting as a Recurring Validation Tool
Pentesting should not be the first step in your security journey; rather, it should be used as a recurring validation tool. Think of it as an ongoing check to ensure your controls are working effectively, rather than as a one-time exercise to uncover gaps that should have been identified through governance and risk assessments.
The CIS Controls, a set of 18 critical security controls, supports this approach. Pentesting is introduced under Control 18, after foundational controls have been established. Before reaching this stage, organizations should have already implemented system hardening (Control 4), continuous vulnerability and patch management (Control 7), and several other important foundational controls.
The Role of vCISO Services in Strengthening Governance
GRC programs and services like our vCISO services are designed to help organizations build a strong governance framework. This includes conducting risk assessments, system hardening, vulnerability management, security awareness training, and the development of comprehensive policies and processes. Only after these elements are in place should pentesting typically be considered.
Skipping these steps and diving straight into pentesting often results in findings that highlight obvious gaps—ones that should have been addressed through basic security best practices. This approach not only has the potential to waste resources but also overlooks the opportunity to build a sustainable and resilient security posture.
Asking the Right Questions
When a client insists on a pentest, it is essential to explore the reasons behind the request. Is it driven by compliance requirements? A recent security incident? Or simply a desire to check a box? Understanding the underlying motivation can guide the conversation towards a more strategic approach, emphasizing the importance of governance and risk management as the foundation for any effective security program.
Conclusion: Governance Sets the Stage for Effective Pentesting
In the words of security industry leader Ira Winkler, “The goal of a cybersecurity program is broadly to have nothing to be found during a pentest, which should be metaphorically the cherry on the top of a good cybersecurity program. GRC is the bowl for the sundae.”
Pentesting is important, but it should be part of an ongoing process that follows the establishment of a strong GRC foundation. By prioritizing governance first, organizations can ensure that when they conduct pentests, these tests serve as effective tools for validating effectiveness of their security controls. This approach not only enhances the value of pentesting but also strengthens the overall security posture.
So, when a client says, “I need a pentest,” we may ask, “Is your governance in place?” The answer to this question will determine the true impact of the pentest—and the robustness of their security strategy over time.
For more information, reach out to your Keller Schroeder Select Account Manager or visit https://www.kellerschroeder.com/vciso-service-offerings/
Written By:
Brad Mathis
Senior Consultant – Information Security
Infrastructure Solutions Group
