Why automated pentesting won’t fix the cybersecurity skills gap

The modern threat landscape is an enormous challenge for the modern enterprise. Many organizations are “addressing” this by buying the newest security products from the latest hot vendor and hoping that this will protect them, but most recognize that this isn’t enough to defend their organizations.

Automated pentesting and the security talent gap

Tools and scanners are good to use, but those can only find known vulnerabilities. Many vulnerabilities out there are the kind that only a trained security expert would spot. Unfortunately, the lack of well-trained, qualified security professionals exacerbates organizations’ challenges.

The security talent gap is not getting any smaller and people are coming up with some outlandish ideas for closing it. The latest one is automated penetration testing – the idea is that we can somehow create bots that will probe enterprise defenses and uncover vulnerabilities. Here’s the thing though – that’s the antithesis of what pentesting is. A real pentest is not an automated scan job. A real pentest leverages the creative mind of an experienced cyber professional.

The whole point of pentesting is to be creative, thinking from the perspective of an attacker, and identify vulnerabilities that machines and other pre-built-in logic cannot, thereby staying one step ahead of cybercriminals. When we teach bots to identify and address some vulnerabilities, hackers will get more creative and find new ones to bypass the detection of these automated checks.

We should automate as much as we can, but relying only on automated security testing of your systems and networks will not protect your enterprise. The only way to fix this is with great cybersecurity professionals who can beat them to the punch.

Why a shift in mindset is key

Security teams need to have the adversarial or hacker mindset – i.e., they have to think as an attacker. They need to stay a step ahead of the cyber criminals and advise the rest of the organization on the important and timely actions to take.

Not every vulnerability is obvious. The best way to defend the enterprise is for defenders to think like attackers and try harder every time they seemingly hit a dead-end – not giving up easily on something they see that doesn’t make sense. Successfully defending systems, networks, and applications requires not only an understanding of the tools an attacker could use, but how they use them and when they use them. This requires a lot of judgement calls, asking a lot of questions that start with “why”, and those cannot be accomplished with automated tests. Automated tests are only as good as what you tell them to look for and do. What makes security hard is that each time, the attacker is doing something different and new.

Attackers don’t need a massive vulnerability to impact organizations – they are patient, waiting for an individual to make a mistake to let them in, either via phishing or social engineering. Once in, they make their way up the network or escalate privileges to gain more and more sensitive systems and data.

Bad hacks and data breaches usually start with a small mishap. Because most systems and networks have been designed without necessary security defensive mechanisms, it is not uncommon to chain a few small vulnerabilities to produce a devastating effect.

Moreover, attackers continually develop new malware payloads and test out new threat vectors. The only way to truly level the playing field is with human defenders who are every bit as creative and persistent as the adversaries. The defenders also need to stay up to date on the latest exploits, hacking techniques, malware, etc.

Closing the cybersecurity skills gap

The cybersecurity skills gap is a people problem, but it’s not just about finding enough people to operate tools, because the tools themselves are not enough. All tools have a shelf life and it’s only a matter of time until attackers find a workaround.

If we really want to address the security problem, we need to increase security awareness training for all. We need to train people who design and build systems and networks to have an attacker mindset. We must make sure we train the security professionals to have the ability to think like an attacker to stay current with the latest exploits and security issues.

There is no doubt that we need more qualified security professionals and there is no silver bullet to solve this talent shortage. You don’t have to be an IT expert to enter the field of security. You need to have a curious mind, be a creative problem solver, willing to put in the sweat to learn the craft, not give up easily and keep going.

Great candidates can come from many parts of an organization – system admins, network engineers, web developers, customer support members and even recent graduates. While they won’t be able to hit the ground running, they’ll have the essential traits to succeed in security.

Security is a people problem. Scanners, tools, and automated tests can help, but to really solve this problem, it takes human creativity on multiple levels to combat it.