How workforce reductions affect cybersecurity postures

In its State of Pentesting Report, Cobalt reveals an industry struggling to balance the use of AI and protecting against it, while facing significant resource and staffing constraints.

Pentesting plays a key role in addressing this challenge, equipping organizations with the ability to more frequently security test critical assets, expanded environments, and proliferating cloud applications.

Cobalt analyzed 4,068 pentests, revealing a 21% increase in the number of findings per pentest engagement year-over-year, aligning with increases in Common Vulnerabilities and Exposures (CVE) records. Additionally, findings indicated that the median time to fix vulnerabilities also increased compared to previous years.

In addition to its pentesting analysis, the report also includes a survey of more than 900 cybersecurity professionals across the U.S. and U.K. The study digs into how cyber professionals are balancing internal staffing and working with external partners, the push-pull of AI as both a tool and a threat, and the challenges the C-suite faces to lead change.

Challenges in the eye of the AI storm

The study highlights the push-pull relationships cyber security teams have with AI. 86% cite their teams having adopted AI-powered tools, while seven in ten respondents also cite an increase in threats coming from AI.

Throughout 2023, Cobalt performed increasing pentests on AI systems, primarily on software products incorporating AI-enabled chatbots to improve user experience. The most common vulnerabilities uncovered included prompt injection (including jailbreak), model denial of service, and prompt leaking (sensitive information disclosure). Despite the increased investment, 59% of teams worry they are still behind the AI threat.

The report captures the reality of significant industry layoffs and uncertainty that plagued 2023 and the hangover effect layoffs continue to have on threat levels. 31% of respondents said their organization conducted layoffs during the past six months, and ⅓ of those agree their organization faces greater cyber risk due to those departures.

If not addressed, cybersecurity teams are looking at further losses, as 29% of those who have been impacted by layoffs/resignations say that they currently want to quit their jobs.

Most concerning is that there are no signs of a strong staffing recovery. Nearly one-third of respondents report being on a hiring freeze, and 29% expect to do more layoffs still this year. Looking at the data, Cobalt sees an increase in the overall volume of high and critical severity findings of 39% year over year. This is leading many companies to look at how they will utilize partnerships and vendors to improve security measures, with 59% agreeing they will increase pentesting in 2024.

The significance of pentesting in cybersecurity

As attacks rise, C-suite executives increasingly find themselves at the top of the accountability and liability food chains. It’s clear that respondents are feeling this pressure; C-suite is 31% more likely than non-C-suite to say the industry environment is impacting their mental health, and 51% more likely to say it’s impacting their physical health. Like their staff, they cite challenges balancing talent shortages and budget constraints against both increasing and emerging threats.

Among all groups surveyed, they are the most concerned about AI adoption (33% more than non-C-suite respondents). Despite these challenges, C-suite leadership is proven to be critical to cyber security, with 23% noting that C-suite leadership is more critical than budget to preventing attacks.

“With cybersecurity teams strained by staffing shortages and concerns rising about AI’s potential to enhance cyberattacks, the importance of pentesting as a proactive measure is key,” said Caroline Wong, Chief Strategy Officer at Cobalt. “Our data reinforces the actions we as an industry need to take: prioritizing talent acquisition, exercising caution in AI integration to safeguard against evolving threats, and leveraging pentesting.”

“Enterprises today not only face digital threats but the personal toll that these challenges take on their executives,” said Chris Manton-Jones, CEO at Cobalt.

“As leaders, it is crucial to understand that cybersecurity is not just about securing our digital assets but also about ensuring the safety of our entire organization, including ourselves,” Manton-Jones concluded.

Pentesting remains a reliable way to identify both historic and nascent vulnerabilities within applications and systems, and security teams should maintain their commitment to regular pentesting as technology and cybercriminals advance in tandem with one another.