Skip to content

The Cybersecurity Industry Has Let You Down

Why hasn’t your security improved despite regular penetration testing? Discover how the cybersecurity industry has fallen short, why testing becomes transactional, and how better scoping can drive real security improvements.
The Cybersecurity Industry Has Let You Down

If you’ve invested in cybersecurity over the past few years, there’s a good chance you’ve done what you were supposed to do.

You’ve commissioned penetration tests. You’ve worked with cybersecurity providers. You may have even switched suppliers in the hope of getting better insight and better results.

And yet, your security posture may not have improved in the way you expected.

If that sounds familiar, there’s something the industry needs to admit:

The cybersecurity industry has let you down.

This is not about blaming your internal team. It is not about saying you made poor decisions. It is about recognising a wider problem in the way cybersecurity services, especially penetration testing, are often delivered.

And it needs to change.

Before we continue, cybersecurity terminology can be tricky. To help you untangle the jargon, check out our A-to-Z cybersecurity glossary, which defines the language used throughout this article.

Penetration Testing Has Become Too Transactional

For too many businesses, penetration testing has become a box-ticking exercise.

A company says, “We need a pen test.” A provider says, “No problem.” A scope gets agreed. A test gets delivered. A report gets sent over. Everyone moves on until next year.

On paper, that sounds fine. In practice, it often means businesses are paying for a service without getting the strategic value they should be getting from it.

Penetration testing should not feel like ordering something off a menu. It should not be a case of “one pen test please” followed by a standard engagement that looks almost identical to last year’s.

It should be a process designed to help you understand your risks more clearly and improve your security over time.

Research shows that 68% of organisations conduct annual penetration tests primarily for compliance requirements rather than for genuine security improvement. This checkbox mentality means testing becomes routine rather than strategic.

Related Reading: What is the Pentest Trap? How Routine Testing Creates False Security

Why Changing Providers Often Does Not Solve the Problem

A lot of businesses assume that if they are not getting enough value, the answer is to move to a different supplier.

That can help in some cases. But changing providers on its own is not enough.

If your new provider simply runs the same type of test, against the same areas, with the same assumptions behind it, then the outcome is unlikely to change in a meaningful way.

You may get a different format of report. You may get a slightly different set of findings. You may even feel like you have had a more polished experience.

But if the scope remains largely the same year after year, you are still unlikely to uncover the most useful insights for your business.

That is the real issue.

The problem is not just who does the testing. The problem is whether anyone is helping you work out what kind of testing will actually improve your security.

The Industry Has Put Too Much Responsibility on the Customer

Most businesses are not penetration testing experts.

They should not have to be.

The average IT leader, operations lead, compliance manager or business owner should not be expected to know which testing approach is most appropriate for their environment, their recent changes, or their current risk profile.

That is what cybersecurity providers are supposed to help with.

Yet too often, the industry has allowed scoping to become passive. A customer asks for a certain type of test, the supplier provides it, and nobody stops to ask the more important questions:

Why this test?

Why now?

What has changed since last year?

What are you actually trying to learn?

What would create the most security value from this budget?

Those questions matter.

Without them, penetration testing becomes a routine purchase rather than a strategic security activity.

Related Reading: Are You Testing the Same Things Every Year? Here’s Why That’s a Problem

Doing the Same Test Every Year Is Not a Strategy

There are situations where repeating certain tests makes complete sense.

If you have core systems that need regular assurance, or there have been major changes to infrastructure, repeating a test may be the right move.

But repeating the same full scope every year simply because that is what has always been done is not a strategy.

It is habit.

And habit is not the same thing as improvement.

Businesses can spend thousands, sometimes tens of thousands of pounds, on repeated testing without materially improving their security posture. That is not because testing itself is ineffective. It is because the scope has not evolved with the business.

Good security testing should adapt.

If your environment has changed, the testing should reflect that.

If your business priorities have changed, the testing should reflect that.

If your biggest risks sit outside the same old testing scope, the testing should reflect that too.

Better Security Starts with Better Scoping

This is where the industry needs to be better.

The scoping call should not be a formality.

It should be one of the most valuable parts of the process.

It should be the point where a provider helps you work out:

what you have already tested

where your risks are now

what has changed in the business

what your budget needs to achieve

which testing approach is most likely to produce useful outcomes

Sometimes that may still lead to a traditional penetration test.

Other times, it may point towards something more targeted or more relevant to the way your organisation actually operates.

The point is not to make cybersecurity more complicated.

The point is to stop pretending that every business should buy the same thing in the same way every year.

Security Should Improve, Not Just Repeat

A good provider should not just deliver a service.

They should help you make informed decisions.

That means being willing to challenge assumptions. It means being honest when a requested test is unlikely to produce much value. It means helping clients use the budget they already have more effectively, rather than simply selling whatever was asked for.

That is what duty of care looks like in cybersecurity.

If a business changes provider, they should not be met with the same old approach wrapped in different branding. They should be met with expertise, questions, guidance and recommendations that are actually designed to improve security.

Anything less is not good enough.

Related Reading: Did We Pass? What Businesses Get Wrong About Penetration Testing

An Open Apology from the Industry

So here is the truth.

The cybersecurity industry should have done a better job.

It should have educated clients better.

It should have scoped engagements more thoughtfully.

It should have made stronger recommendations.

It should have focused more on meaningful outcomes and less on easy transactions.

Too often, it has not.

And businesses have paid the price, not always through breaches or major incidents, but through wasted budget, missed opportunities to improve, and a false sense that testing alone equals progress.

It does not.

In fact, 47% of organisations that experienced a data breach had conducted penetration testing within the previous 12 months. This stark statistic highlights that testing without the right scope and strategic focus does not necessarily prevent breaches.

What Fortifi Believes Should Happen Next

At Fortifi, we believe penetration testing should be part of a wider conversation about how to strengthen your business.

That means starting with the right questions.

It means making recommendations based on your actual needs.

It means treating your budget seriously.

And it means focusing on what will genuinely help you improve, not just what is easiest to sell.

Cybersecurity should not feel like ordering from a menu.

It should feel like working with a partner who understands that every organisation is different, every environment changes, and every testing engagement should have a clear reason behind it.

That is the standard businesses should expect.

And frankly, it is the standard they should have had all along.

Is Your Current Testing Approach Actually Helping?

Before your next penetration test, ask yourself one simple question:

Are we testing in a way that helps us improve, or are we just repeating what we did last year?

If the answer is the second one, then something needs to change.

Not because your business has failed.

Because the industry has let you down.


Recent posts

Cybersecurity for Law Firms in 2026: Which Threats Are Most Likely to Breach Solicitor-Client Confidentiality

Read more

ICS & SCADA Penetration Testing: How to Test Live OT Systems Safely

Read more

OT Penetration Testing: A Complete Guide to Securing Operational Technology

Read more

How to Share Passwords Securely at Work

Read more