CISO demands second opinion after internal reporting showed zero vulnerabilities
Security testing within a large US federal government agency was dispersed by department and performed by various teams. Pentesting was required, but each division operated somewhat independently and hired testers with various skill levels. Results were inconsistent and data from testing was trapped in written reports, not structured data. The CISO could not easily determine the quality of testing, remediation status, or the need for security improvements.
Pentest reports filed by several of the agency’s divisions consistently indicated no major vulnerabilities found. Yet, one of those divisions found itself in the headlines for a major cybersecurity breach.
The problem was that asset owners could block security testing. While the CISO was responsible for overseeing the testing process, only asset owners could grant access for safe testing. The CISO had to find a new way to perform penetration testing across the agency and convince the rest of the agency’s security community that it was the right approach. Willing and enthusiastic support from the divisions’ security community was essential for the new testing program to work.