By: Dr. Kevin Charest
Many organizations approach the topic of pentesting with some trepidation. Often, pentesting is seen as a requirement or a “check-the-box” activity to satisfy a customer’s demand to obtain or maintain their business. The reality of pentesting is something quite different and should be approached by understanding the specific goals and deliverables for your business.
Background
There is no denying the pace of technological change for a typical organization is continuously accelerating, and the changes bring with them an added level of complexity as they are incorporated into an already existing IT environment. The rate of change coupled with the added complexity makes it very difficult for traditional security testing to keep pace. Enter the pentest as a tool to solve this challenge.
Pentest Considerations
Pentests, whether internal, external, or both, are delivered in different ways by different suppliers: automated, manual, hybrid, using onshore, nearshore, and offshore resources. That variation suggests organizations should be asking several key questions anytime they are seeking a pentest for their business.
- What is the primary purpose or goal of the pentest?
- Are there regulatory requirements that the business should consider?
- What type of pentest will meet the needs of my business?
- Are there any restrictions as to the type and method of pentest the business can deploy?
- Do I understand the scope and method of the pentest engagement to ensure my organization is protected?
Pentest Frequency
As we previously discussed, the rate of technological change in your organization is accelerating exponentially, and if you do not have automated and manual pentesting as a part of your information security toolkit, then you are putting your business at greater risk than you have accounted for in your risk management activities.
Our recommendation is that pentesting should be considered as an ongoing service, which will allow your organization to understand if there have been shifts away from your cyber and compliance management needs. This approach will also allow you to respond quicker to emerging threats and the continuous advancement of technology. One note of caution for those considering pentesting services of any type is to ensure that the pentest itself does not introduce risk to your enterprise, which means the scope of the test and the rules of engagement.