CISO Insights: How to Pass Every Penetration Test

Between sophisticated cyber threats, constant firefighting, and shifting strategic imperatives, CISOs face an expanding list of priorities. While regular penetration testing is key for identifying security weaknesses, it can represent just one more stressor for overworked, under-resourced security leaders.

In a recent webinar, Aaron Goodwin, CISO at B. Riley Financial, joined Zero Networks to share how his organization turned pen tests from a source of anxiety to a success story. Explore insights from the session to learn how B. Riley transformed their cybersecurity strategy, positioning lateral movement prevention as a business resilience necessity.  

Recurring Penetration Test Findings: The Struggle of Persistent Security Gaps  

Most teams recognize the value of penetration tests – they help uncover hidden risks, enabling organizations to enhance protection before a breach. But when the same security gaps show up on pen tests year after year, the practice turns into a source of stress rather than a roadmap for improvement.  

Aaron Goodwin: There were a lot of years of doing penetration testing and coming up with similar results. There was always a critical. There was always a high. There were always multiples. And we just couldn’t stop those from reoccurring; no matter what we did, those same things would just show up again – we thought we had it fixed and then we’d find out a year later that we still had that issue. 

Like B. Riley, many teams face an impossible tradeoff: address persistent pen test findings and disrupt key operations or live with known risks to maintain business as usual. Meanwhile, simply keeping up with day-to-day vulnerability management drives burnout ever higher.

Why Breaking Free from the Patching Cycle Matters

Vulnerability exploitation now serves as the initial access vector for 20% of all breaches, rising 34% year-over-year. But addressing vulnerabilities via traditional patch management cycles isn’t sustainable or entirely effective.  

Aaron Goodwin: Roughly 130 vulnerabilities are found every day. Now, those don’t affect every single customer out there, but we do see at least two to three a month that affect our environment, and those are things we have to chase down and investigate. 

Nicholas DiCola: How do you think about the constant churn of patching, chasing exposures, and how it impacts your strategy and your team’s day-to-day life?  

Aaron Goodwin: We stay on top of [patching], but it’s always a grueling cycle. You’re always trying to stay up to date as much as you possibly can, but you still have to have time to test those patches with the different groups, different systems, different operating systems.  

Testing patches before they’re applied broadens the window of opportunity for attackers, but the risk of breaking something leaves defenders with no other choice. What’s more, patching isn’t always an option – zero day exploits have jumped 141% in the last 5 years, underscoring the reality that relying too heavily on patching is risky.  

Aaron Goodwin: Patching will only go so far. What can we do to stop or break the cycle of the attack? Even if you have the patch installed, there’s going to be another vulnerability that they could potentially exploit.  

From Chasing Every Threat to Containing Breaches Proactively  

The B. Riley team recognized that a reactive security strategy anchored on chasing threats and patching vulnerabilities placed too heavy a manual burden on staff without providing comprehensive protection. To proactively block breaches and finally address long-standing pen test findings, the organization implemented microsegmentation.  

Aaron Goodwin: Having microsegmentation in place has really given us a precautionary protection layer so we can delay applying some of these patches. Microsoft tends to release a patch, breaks things, and then you’re stuck in that cycle. This gives us plenty of time to test, make sure everything’s working, and then apply it, but still have that protection layer in place.   

Nicholas DiCola: So, it makes your team’s life a little easier because now an asset is microsegmented, you don’t have as many ports open, maybe that patch isn’t as important, and you can delay it a little bit.  

In one case, B. Riley faced a Microsoft Outlook vulnerability involving outbound SMB traffic – there was no immediate fix available, so Goodwin collaborated with Zero Networks to proactively address the vulnerability with a rule to block SMB traffic to the Internet from Outlook.  

Aaron Goodwin: It’s not the only time we’ve done that. There are other types of things where we’ve said ‘There’s no remedy for this. Let’s find a way to block it from going across the network or the Internet.’ … And that’s a really big win in my opinion – it saves us from waiting for these patches, waiting for things to occur. We can shut down these services from exposing these vulnerable situations quickly.  

Breaking Down Lateral Movement Risks in Business Terms  

Stopping unauthorized lateral movement was B. Riley’s top goal in seeking out a microsegmentation solution – an objective that previously felt out of reach.  

Aaron Goodwin: No matter what we’ve done in the past through threat hunting and things like that, there was always a point of lateral movement that was available to an attacker or a pen tester. 

Despite its importance to security teams, lateral movement prevention doesn’t always rank among business leaders’ top priorities. To bridge the gap, CISOs must explain lateral movement in a way that’s accessible and meaningful to the business.  

Aaron Goodwin: How I usually explain lateral movement is the ability to abuse a particular service or feature within native tools or native systems to expose or to gain a higher elevation of access into our environment, essentially making them a trusted user.  

Unseen ROI: Giving CISOs Peace of Mind   

For CISOs and other technology leaders who may be skeptical about the impact of microsegmentation, Goodwin advises thinking about ROI in real-life terms.  

Aaron Goodwin: I would tell CISOs, technology leaders, those of us who continue to fight these battles against attackers on a daily basis, our lives seem to be very stressful. We tend to be not spending quality time with family or getting the sleep that we need. Those are quick wins that microsegmentation has given my team.  

Beyond freeing up critical bandwidth, microsegmentation gives CISOs additional peace of mind by transforming board-level conversations.  

Aaron Goodwin: Do you want to show that same cycle of testing that occurs every year? Do you want to continue to go back to the board and say, “We had another critical finding, we had a multitude of them, or we were just attacked, and they’re inside of our environment”? Having those repetitive conversations just creates more stress for [CISOs]. They worry about the security of their job. They worry about the security of their company and their customers’ data. It’s time to really take hold of that and regain some mental security.  

Comprehensive Defense > Piecemeal Protection  

By implementing automated microsegmentation with Zero Networks, B. Riley finally received a pen test report with no high alerts, addressing long-uncovered security gaps without disrupting the business. While pen tests validated the effectiveness of microsegmentation in B. Riley’s environment, these findings were a byproduct of a larger strategic shift.  

Rather than staying stuck in a cycle of reactivity, B. Riley built proactive, comprehensive protection – no more hidden vulnerabilities, heavy manual burden, or sleepless nights.  

For teams facing similar challenges, B. Riley’s approach offers a practical model for transforming security strategies. Learn how Zero Networks can deliver the same effortless lateral movement prevention to your organization, helping take you from red to green on every machine – request a demo.