CISO demands second opinion after internal reporting showed zero vulnerabilities

Security testing within a large government department was dispersed and then performed by various teams. Pentesting was required, but each division operated somewhat independently and hired testers with various skill levels. Results were inconsistent and data from testing was trapped in written reports, not structured data. The CISO could not easily determine the quality of testing, remediation status, or the need for security improvements.

Pentest reports filed by several of the agency’s divisions consistently indicated no major vulnerabilities found. Yet, one of those divisions found itself in the headlines for a major cybersecurity breach.

The problem was that asset owners could block security testing. While the CISO was responsible for overseeing the testing process, only asset owners could grant access for safe testing. The CISO had to find a new way to perform penetration testing across the agency and convince the rest of the agency’s security community that it was the right approach. Willing and enthusiastic support from the divisions’ security community was essential for the new testing program to work.

Download Government Department Gains Critical Insight Into Their Security Posture Whitepaper

government-department-gains444
By submitting this form, you’re providing consent for SOC  News to use the information supplied as outlined in our privacy policy. This includes providing access to this download and sharing the information. Please check our privacy policy to see how we protect and manage your submitted data.