The cybersecurity industry is in a state of change, with key trends including digitization, forced downward pressure on cost of work, and an increase in AI and automated threats. For many cybersecurity firms including traditional cybersecurity consultants and pentesters, the key to answering those trends is to respond by adopting AI and automation technology in turn. However, the industry is complex and with no one-size-fits all solution, it’s important to be aware of the market, your niche in it, and how you can best pivot your company to meet those trends and needs.
In this article, we review the trends cybersecurity specialists are facing, as well as some of the market shifts we’re seeing in response to those trends.
Digitization Means People are the Biggest Threat
People have (almost) always been the largest risk in cybersecurity. For example, a survey by StationX shows that spear phishing makes up just 0.1% of all email phishing attacks – but accounts for more than 33% of all breaches. That’s not going to change. In fact, as more and more companies fully move into the cloud, people become the primary risk.
This means that social media, phishing, and direct messaging are still your largest risks. Large companies need assessments to test their risks and to train staff on the risks of phishing – and that is something that cybersecurity consultancies are increasingly adapting to. Without getting people, including the developers and testers responsible for code, involved in cybersecurity, any human attacker is still going to be able to get in.
“Phishing attacks are made even more accessible by AI. Hacking a smart device provides a threat actor with everything they need for spear phishing, people are always going to be your biggest risks” says Luis. CEO of Cyver Core.
AI & Automation
AI and automation impact every aspect of cybersecurity. Generative AI like ChatGPT means phishing attacks are easier. You can also run a lot of OSINT with ChatGPT, meaning someone with even a small amount of skill in manipulating APIs can easily abuse the platform.
Companies are also more and more often using ChatGPT and other generative AI to take shortcuts with code. This creates risks because it’s predictable and the same – meaning that once a hacker knows what you’ve done, everything is predictable. That’s not a new form of risk over using a development platform or something like WordPress, but it is a risk that many companies will not be prepared for. Testing for it and checking those risks will be important for security clients.
“The workaround is to ensure that pentesters and companies have automation of their own. The best way to fight automated attacks is automated defenses. Companies are increasingly adopting DAST/SAST/SCA to that effect.” adds Luis, “At the same time, you want to work to bring organizations a step closer to their cybersecurity. That means giving developers and IT staff insight and control of the cybersecurity process – which many cybersecurity consultants are working to solve. Cyver Core does so as well by delivering a Client Portal, where developers and IT staff can simply log on to request pentests, run scans, and view and manage findings – or directly communicate with the cybersecurity consultant about found vulnerabilities.”
“Devs need to understand where their vulnerabilities are coming from if they’re to remediate them now, and across every asset they’re building.”
“Of course, lifts to new technologies are nothing new. We’ve seen VR, cloud, object oriented programming, etc., even the shift from mainframes to personal PC’s become new concerns in their turn, and at each stage, pentesters have adapted and brought those environments into their testing scope – this is the same.”
Increases in Government Regulation
Specifically for the EU, regulation brings enforced pentesting across many regulations. Most notably, the DORA regulation for the finance and banking sector will force thousands of organizations and their third party suppliers to conduct mandatory pentesting (internal and external) with enforcement by January 17, 2025. Those shifts will mean that organizations need formal, consistent, and predictable delivery of pentest reports and deliverables and mapped to the formats of their internal teams.
Pentest firms are increasingly facing the effects of economic downturn, as organizations try to cut budget. For many, that means shifting away from penetration tests and towards vulnerability assessments, despite the fact that these are not the same and don’t provide the same value.
That push towards lower costs also means that organizations which are less aware of what they are getting in a pentest will opt for cutting costs by going for simple scanning. Working for transparency in what you’re testing and how you’re doing it can help to alleviate this issue.
“That’s also true for organizations that offer a full-service approach – as many companies do need vulnerability assessments and scanning in addition to traditional penetration tests or red team assessments and even bug bounty programs. “says Luis, “The key to security is using a layered security approach, and organizations need to be more aware of that.”
Of course, firms can also work to reduce costs and hours per pentest with process automation, report generation, and by reducing manual workloads with copy/paste and vulnerability libraries. Cyver Core works to enable that – reducing time spent managing and reporting on pentests.
Human Insight is Still Key
Companies will always need scanning, SAST and DAST are key to catching low-level issues and check-the-box vulnerabilities. Having it in place, using scanners, and running vulnerability assessments makes low-level security feasible for organizations at any budget. At the same time, human insight into risk profiles, exploitation of vulnerabilities, and understanding how threat actors will think will always be a critical part of security.
“Whether you’re delivering scanning, vulnerability assessments, red teaming, or traditional pentesting, your ability to look at what your tooling is doing and making recommendations, assessing risks, and figuring out what you can do with those vulnerabilities will always be a key part of your deliverable.” says Luis, “Cyver Core enables that by putting you in direct contact with the people making the fixes, so you can share insights and direct the customer towards remediation – rather than just awareness.”
Do you see any other trends for 2024? Feel free to share them with us!