Multilayered, well-funded cybersecurity systems are unable to protect enterprises in the US and Europe from cyberattacks, according to a report by automated security validation firm Pentera.The report, which was based on a survey of 300 CIOs, CISOs and security executives to get insights on their current IT and security budgets and cybersecurity validation practices, noted that the financial slowdown has had a minimal impact on cybersecurity budgets.\u201cWe\u2019re seeing more organizations increase the cadence of pentesting, but what we really need to achieve is continuous validation across the entire organization,\u201d Aviv Cohen, chief marketing officer of Pentera, said in a press note. \u201cAnnual pentesting assessments leave security teams in the dark most of the year regarding their security posture. Security teams need up-to-date information about their exposure using automated solutions for their security validation.\u201dPentesting, also known as penetration testing, is a practice of testing computer systems, networks, or web applications to identify vulnerabilities that an attacker could potentially exploit. This is achieved by simulating an attack on a system or application in a controlled environment to uncover security weaknesses and provide recommendations for remediation.Defense-in-depth approach is not enoughOn average, the survey found, a company was found to have deployed nearly 44 security solutions, suggesting that they follow a defense-in-depth (also security-in-depth) approach that involves layering multiple security solutions to offer maximum protection to critical assets. However, despite having a substantial number of security measures in place, 88% of organizations acknowledge experiencing a cybersecurity incident within the last two years.The numbers are consistent with the observations of other experts.\u201cDefense-in-depth is not just about prevention, detecting and responding to attacks are part of the strategy as well,\u201d said Erik Nost, a Forrester analyst. \u201cIn fact, it is likely that these organizations\u2019 defense-in-depth strategies are what detected these breaches and mitigated their impact. The reality is that organizations have sprawling attack surfaces, some of which they don\u2019t know about. Assessing attack surfaces for vulnerabilities and exposures can lead to lengthy findings, which then need prioritizing and time to remediate.\u201dThe report noted that a slowed down world economy may not affect the cybersecurity budgets in 2023. As per the survey, 92% of organizations have increased their IT security budgets, and 85% have increased their budget for pentesting.\u201cWhile greater emphasis on validation of the entire security stack must be put in by the CISOs, I\u2019m encouraged to see security teams are getting the budgets they need to protect their organizations,\u201d Chen Tene, vice president of Customer Operations at Pentera said in a press note.Security validation among the top pentesting drivers Although the initial need for pentesting was driven by regulatory demands, the key reasons for conducting it were found to be security validation, assessment of potential damage, and cybersecurity insurance, according to the report.Only 22% of respondents considered compliance as their primary motivation for pentesting, indicating regulatory or executive mandates are not the primary driving force behind the practice.\u201cWhile in our 2020 survey, regulatory compliance was the second most common answer among CISOs, today it has dropped all the way to the bottom,\u201d Cohen said. \u201cThis is a positive shift showcasing how security executives aren\u2019t waiting for regulations to mandate further action.\u201dCybersecurity insurance policies emerged as another prominent driver for pentesting amid pandemic-induced surge in cyberattacks, as 36% of survey participants identified it as their primary reason for conducting pentesting. This contrasts with the 2020 findings, where only 2% considered cybersecurity insurance as their top driver for pentesting.\u201cSometimes an initial push from a regulator or governing body is what some organizations need to get a buy-in to make a change,\u201d Nost said. \u201cBut as security solutions, technology, and threats evolve, it is unlikely that regulatory requirements will be able to evolve with it to maintain relevancy.\u201dThe report found that 82% of companies are already implementing pentesting in some way. However, the main obstacle to the adoption of this practice is the apprehension regarding business continuity. Both companies \u2014 that currently conduct pentesting and those that do not \u2014 identify the risk to business continuity as their primary concern when contemplating increasing the frequency of pentesting.About 45% of participants who already conducted pentesting, whether manual or automated, said that the risk to business applications or network availability prevented them from increasing the pentesting frequency, and this number increased to 56% for those who didn't conduct pentesting assessments at all.