This article at DarkReading points out that a report from BT on ethical hacking, planned to be released later this week, provides some interesting statistics on corporate spending on penetration testing. This all looks like good news to me – there were a few statistics that stood out:

Call it realism, or call it pessimism, but most organizations today are resigned to getting hacked. In fact, a full 94 percent expect to suffer a successful breach in the next 12 months, according to a new study on ethical hacking to be released by British Telecom (BT) later this week.

This is not good on the surface, because clearly we aren’t doing a very good job at security if that many organizations expect to get hacked. On the other hand, it is great to hear that so many organizations acknowledge the threat exists and are being more realistic about the high probability of an attack.

The first step is to acknowledge you have a problem.

Also this bit:

Around 60 percent of organizations have budgeted for pen testing, while around 38 percent have not, the study found. Nearly 70 percent allocate 1 to 5 percent of their security budgets for pen testing, 17 percent allocated 6 to 10 percent, and 2 percent set aside 20 percent.

So it’s making it into the budget and is becoming part of the standard security regiment.

The remaining question that I didn’t see addressed in this article is how many organizations have developed remediation plans, prioritize the problems found in the pentest, and actually get things fixed. It’s great to know your vulnerabilities but if we want to move that statistic from 94 percent down south of 50 percent we need to start fixing those problems and keeping new ones under control.

Sounds like some good progress is being made.