Budgeting for Security Assurance: A Pragmatic Approach

As we approach the end of the financial year, it’s that time again when organisations turn their attention to annual security assurance services, such as penetration testing, to help inform their budget. During this period, a common trend emerges where organisations dust off last year’s scope and request for it to be tested again, without considering whether there have been significant changes in their environment.

While some organisations adopt this approach to comply with their obligations (such as ISO 27001 or PCI), others may not have thought about alternative ways to achieve assurance with greater value. At Sentaris, we recommend two complementary strategies to refine your security assurance: avoiding “over assurance” while scoping your annual penetration testing; and shifting more security assurance responsibilities into your project lifecycle.

Over-Assurance

Traditional annual Penetration Testing often involves testing the same scope every year, assuming no significant changes in the risk landscape or compliance requirements. This approach can be inefficient and costly, consuming valuable resources without delivering tangible benefits. We suggest working with your Penetration Testing provider to:

  • Perform a light-touch broad scanning: Identify variations from the previous year, including new systems that may have been implemented without the knowledge of your internal security function, or not tracked in the Configuration Management Database (CMDB) or Asset Register.
  • Adopt a three-year roadmap: Collaborate with your Penetration Testing provider to create a three-year roadmap for targeted testing based on actual changes. This proactive strategy reduces unnecessary testing on previously tested systems while ensuring all systems are considered.
  • Track application and system updates: Utilise your CMDB or asset register to track whether systems have changed throughout the year, as well as any penetration testing that may have occurred during project delivery. This information should inform your annual penetration testing scope to prevent over-assurance of recently tested applications.
  • Apply a risk lens to the scope: Don’t spend the same amount of time testing your marketing website as you would for your customer portal. Consider capping the days’ effort and perform a risk-based approach where the business impact of a compromise for that system may not be high.
  • Consider the timing: If the organisation is undergoing significant IT changes, attempt to align annual penetration testing to after these changes have been completed. This will avoid situations where the penetration tester spends time focusing on systems that may be decommissioned, or not get the chance to test a new configuration change which may result in a risk until the next penetration test occurs.

Embedding Security Assurance in Projects

Embedding security and privacy measures at the earliest stages of a project ensures that all stakeholders understand their roles in maintaining a secure environment. It also ensures that the appropriate security assurance is budgeted for. Ensuring security assurance is considered in projects can help alleviate pressure on Business as Usual (BAU) budgets, which can then be used to test legacy or other “at-risk” systems.

We recommend:

  • Establishing a project triage: This helps identify critical security requirements early in the project lifecycle, ensuring that high-risk issues are addressed upfront. Sentaris provides a tool at no cost to help projects determine their risk using our Project Triage Tool. We have many customers relying on this tool as part of their project initiation process to help inform both project budget as well as security requirements.
  • Ensuring governance: Ensure that projects assess their requirements for security input and assurance through appropriate governance. The project should submit the output of the project triage assessment as part of their initiation phase, then be held to account for delivering against the security requirements throughout the project life cycle. Finally, prior to go-live, the project should provide evidence that all requirements and assurance has been achieved to an acceptable level. Where projects cannot meet the security obligations, there should be traceability of those decisions using the organisations risk management framework.

By implementing robust project governance, organisations can ensure that all security requirements are captured early in the project lifecycle. If you would like more information on how to implement Security Assurance effectively into your Project Management lifecycle, feel free to Contact Us

Conclusion

Adopting these strategies doesn’t mean compromising on security; instead, it allows organisations to optimise their resources while maintaining a level of protection within their risk appetite. By moving away from only performing security assurance practices annually and towards a “secure by design” strategy, the annual funding provided to Security teams can be appropriately applied to areas of the business that have not been assessed.

As the financial year approaches, now is the perfect time to initiate meaningful changes in your approach to your Security Assurance. Whether it’s creating a three-year roadmap or implementing project triage tools, these strategies can help uplift your overall security posture while keeping pressure away from annual security assurance budgets.

Sentaris is proud of its pragmatic approach to security assurance, which has helped many organisations better understand their risks without needing a significant increase in their budget. If you would like to learn more, please don’t hesitate to reach out to us.

Contact Us