Banks, financial services firms and other companies are throwing more tools and resources than ever at cyber defence, but the key question is: is it enough?
No. Not according to Jay Mar Tang, Field CISO at Pentera, as the real issue isn’t a lack of security tech—it’s knowing what truly works.
“Enterprises managing over 75 security solutions now face an average of 2,000 alerts per week,” Mar Tang pointed out. “That number triples for organisations with more than 100 tools. It’s no wonder critical threats get buried.”
He emphasised that effective prioritisation is no longer a luxury, it’s a necessity.
“In this environment, organisations benefit most when they can frequently test for exploitable gaps, so they know which issues truly matter before threat actors find them first.”
Mar Tang added: “It seems obvious, but recent findings tell a clear story, more security tools do mean better security posture. However, there is no silver bullet.”
“More security tools do mean better security posture. However, there is no silver bullet.”
– Jay Mar Tang
In fact, even among enterprises with over 100 tools, 61% still reported experiencing a breach.
That alert overload, he said, increases the risk of missing critical threats.
“In this environment, where alert volumes are high and time to triage is short, organizations benefit most when they can frequently test for exploitable gaps, so they know which issues truly matter before threat actors find them first.”
The findings are part of Pentera’s newly released 2025 State of Pentesting Report, based on a survey of 500 CISOs from global enterprises, including 200 from the U.S. The report outlines how enterprises are responding to mounting cyber risks, from technology adoption to shifts in strategic mindset.
Pentesting
One major shift Mar Tang highlighted is the rise of software-based penetration testing.
“Only 5–10 years ago, many enterprises would never have permitted automated tools to run pentests in their environments for fear of causing outages,” he explained. “But sentiment is changing fast.”
Today, over half of enterprises rely on software-based pentesting, not just to support in-house testing, but as their primary method for identifying real vulnerabilities.
He noted the increasing trust in these tools stems from necessity. “CISOs are recognizing the advantages of software in scaling adversarial testing and keeping pace with constantly changing IT environments.”
Mar Tang also flags a growing external influence on cybersecurity decisions: insurance providers. “59% of CISOs admitted they implemented at least one cybersecurity solution at the recommendation of their cyber insurers,” he said.
“It’s a clear sign that insurers aren’t just pricing risk, they’re actively prescribing how to reduce it.”
And when it comes to public sector support, optimism is low. “Only 14% of CISOs believe the government is adequately supporting the private sector’s cyber challenges,” said Mar Tang. “22% feel they can’t rely on government help at all.”
THIS JULY
NEW EVENT
Why not become a QA Financial subscriber?
It’s entirely FREE
* Receive our weekly newsletter every Wednesday * Get priority invitations to our Forum events *
REGULATION & COMPLIANCE
Looking for more news on regulations and compliance requirements driving developments in software quality engineering at financial firms? Visit our dedicated Regulation & Compliance page here.
READ MORE
- Trust, not speed: Why AI governance is now a testing battleground for banks
- NatWest’s AI trade finance overhaul opens new chapter for QA teams
- Banking UAT moves beyond sign-off as QA takes centre stage in system rollouts
- Citi ramps up AI-driven testing in race to modernise legacy systems
- Lloyds, HSBC and NatWest get OpenAI access amid mounting concerns
WATCH NOW
