Penetration testing is beneficial and often necessary for organizations to test the effectiveness of their security controls.
With a realistic assessment of your security posture, you may understand the vulnerabilities adversaries may exploit to damage your company’s operations, reputation, and information assets.
is a pentest useful for every organization?
Penetration tests can range from a few to several thousand of dollars/euros. This will depend on the scope of the penetration test and the expert or organization that prices the activity itself.
Are you willing to pay a large amount of money to find out what methods attackers can use to damage your company when you haven’t even taken the first steps to protect it?
Are you ready to learn what your security flaws are, prior to you taking action to strengthen your organization’s security posture?
An Analogy
An analogy that comes to mind is, taking your car for an MOT test when you haven’t had your regular maintenance and service repairs and expect the MOT test to be successful.
You already know you will fail your MOT test. Why bother wasting your time and money on it in the first place?
Being mindful of how you drive your car, and not missing out on its basic tune-ups and maintenance schedules is how you keep your car running smoothly and safely. You know that.
The same applies to information security.
Penetration Testing is for “test-Driving” your security controls
Not having specific prerequisites in place makes you incapable of defending your organization from cyberattacks.
Don’t bother planning and executing penetration tests that will offer no real value, if you don’t have a security baseline of your information systems and operations in place. The money you paid for the pentest will end up being a forgotten stack of papers in your drawer.
So, postpone the meeting you have with the cybersecurity firm or expert and ask yourself the following questions.
- Does your organization has a formal security program in place?
- Have your compiled and communicated security policies and operating procedures?
- Do you perform regular security risk assessments?
- Have you established a vulnerability management program to discover and mitigate any vulnerabilities in your information systems?
- Do you run a patch management program on a regular basis?
- If you do code development, do you follow secure coding practices?
If you answer “No” to any of the questions above, don’t even start thinking of executing a penetration test.
Your organization does not have the maturity level needed to deal with the long-term effects of your bad security posture.
Fixing whatever findings the pentest will uncover, will only be a small patch in your car tier which is full of holes. It will be ineffective and won’t last much.
The penetration testing activity must only be a part of your security program, “test-driving” the effectiveness of your security controls, not a bypass to avoid the cost and effort of implementing them.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.