If you’re asking this question, it’s usually for one of two reasons:
- A client (or prospective client) has requested one from your firm.
- It’s time for your next pentest and wondering if you can skip it.
I get it. Pen tests can be a daunting proposition. They can be expensive and they reveal security weaknesses. They’re also critical for driving and developing attack-resistant security strategy.
As a CISO, I believe a penetration test is a vital tool for any enterprise. But in the article that follows, I’m not just going to give a security lecture to explain why you need penetration testing, I’m going to give you the business justification.
These are the four main reasons why running a penetration test, at least annually, not only lowers your risk of a data breach, but lowers critical barriers to business growth.
- #1: Prospective Clients Will Ask (& Keep Asking) to See One
- #2: Pentesting Helps Meet Compliance Requirements
- #3: A Pentest Improves Your Security Posture
- #4: A Pentest Can Save Money or Maximize Coverage on Insurance
- Isn't a Vulnerability Assessment Enough?
- When You Don't Need a Pentest
- Find the Right Pentest Provider Fast
(NOTE: If you’re considering a pentest, our free tool matches your firm with top-rated pentest providers that suit your needs and budget.)
#1: Prospective Clients Will Ask (& Keep Asking) to See One
Penetration testing can make your business a more appealing option compared to your competitors. Penetration tests signal to prospective clients that you take security seriously and have security controls in place to protect against potential data breaches. It’s a great way to gain customer trust.
If you’re a B2B sales organization, penetration testing is a must. With increasing rates of serious service provider and other cyber attacks in the news, every company is spinning up some kind of Third Party Risk Management (TPRM) arm. Those programs are entirely concerned with evaluating and judging an organization’s security posture. If you don’t do well, your contracts may be compromised.
Some TPRM services will evaluate your perimeter network for network security posture and security risks. They gauge not only how attractive of a target you are, but the likelihood a threat actor can gain access through perimeter penetration. External penetration tests are incredibly effective for identifying those gaps.
Clients also want to know that your IT infrastructure reduces the likelihood of critical data or service compromise should threat actors reach your internal network. Pen testers are security consultants that leverage real-world attack vectors in simulated attacks against a company’s systems. They identify potential vulnerabilities that vulnerability scanners can miss, issues with key security systems, and security processes that fall short.
The great thing: penetration tests result in the production of penetration testing reports. Those are detailed reports that go beyond most security assessments and tell you not only where your security holes are, but the security measures that would most effectively close those holes.
Ultimately, your clients will like to see: 1) that you’ve had a recent pen test and 2) you’ve taken action on that. What counts as recent? At least once in the past year.
That being said, vulnerabilities are discovered at a breakneck pace and your clients will be concerned for their data integrity. Running penetration tests more often than annually may be necessary just to stay competitive. The more you do it and the more you use them to take meaningful action or represent the quality of your security program, the greater your competitive advantage.
There aren’t any real industry standards around penetration testing. Some organizations do it annually, while others use perpetual testing. Suffice it to say, if you have one pen test conducted, then you’ll want more pen testing. Your initial results will be humbling, but you’ll be able to make a good case for tangible and material security controls improvement and additional investment to mitigate cyber threats.
#2: Pentesting Helps Meet Compliance Requirements
Regulations addressing industry security, like healthcare and finance, practically demand regular penetration tests. While a penetration test isn’t typically called out for regulatory compliance, regulations outline that sensitive data must be safeguarded against data breaches. Regular penetration tests are the single most effective kind of security testing to validate that your security tools and controls are effective.
HIPAA, the regulation I have the most familiarity with, requires the implementation of appropriate access controls, network safeguards, incident response, and log monitoring to name a few. Without some kind of external testing, it’s impossible to know if those controls are effective.
PCI-DSS compliance is also helped with penetration testing. Evaluating the efficacy of payment processing systems and the controls around them is key for certification.
Other standards and regulations are helped with a penetration test and provide the perfect excuse to do one. HITRUST, SOC 2, ISO 27001, GDPR and the like don’t mandate a penetration test, but they do mandate processes designed to safeguard data. It’s one thing to say that a process is implemented, but entirely another to have a live-fire test of them. A penetration test is a perfect supplement and capstone to your compliance and certification journey.
Some penetration testers will also include an evaluation of physical security controls. I’ve found that kind of testing is increasingly difficult to find. There’s a lot of administrative overhead, not the least of which is dealing with police departments to extricate their security team. It’s one of the effects of not testing in a controlled environment; if employees know the test is happening, then the results will be skewed. That being said, it’s effective and “safe” for the pen testing security team to test the physical security of new office locations. Identified security issues can be mitigated prior to opening.
#3: A Pentest Improves Your Security Posture
As alluded to in the section regarding satisfying client demands, penetration testing materially improves an organization’s security by mitigating the ability of a cyber criminal to exploit vulnerabilities. Penetration testers attack an organization’s systems, typically using ethical hacking techniques, to mitigate the possibility of a data breach. Those techniques are similar to what cyber criminals would employ, but ethical hackers do so with the intent of helping mitigate security incidents instead of causing them.
There are many different types of penetration testing ranging from physical penetration testing of various office locations to modeling a security incident leading to a sensitive data breach. There are a few methods for approaching a simulated attack of a target system:
- Black box testing – black box testing is a kind of penetration testing that finds identified vulnerabilities and unknown vulnerabilities in a system without understanding how it operates.
- Gray box testing – this form of penetration testing attacks a system understanding inputs and outputs plus a general understanding of source code. Since this tests interoperability and architectural design, it’s very effective for web application testing.
- White box testing – this kind of penetration test is a simulated attack on a computer system or application knowing exactly how they work. This kind of penetration test really hones in on whether or not comprehensive security controls are effective.
Again, while there are no real industry standards for what kind of penetration test to conduct, some are better suited to specific situations.
Some organizations avoid or eschew penetration testing because there’s a concern that an already expensive penetration test will lead to additional costly fixes. That’s a dangerous fallacy.
The conditions for a successful attack, potentially costing an organization millions of dollars, exist whether or not a penetration test is conducted. Not understanding what those conditions are practically guarantees that an organization will be successfully compromised.
In the long run, it’s almost always cheaper to do the pen testing and implement recommended mitigations than it is to be hit by a cyberattack.
#4: A Pentest Can Save Money or Maximize Coverage on Insurance
Most cyber insurers require some form of penetration testing–either to provide specific coverage or to reduce premiums on coverage. Penetration testing reduces the likelihood of a successful cyberattack. That makes insuring your organization cheaper for cyber insurers.
Where cyber insurance is now a losing proposition, with many insurers exiting the space, remaining insurers need to see that your organization is mitigating the likelihood of a successful attack. A penetration test isn’t the only way to do that, but it’s the most comprehensive way.
Isn’t a Vulnerability Assessment Enough?
Not really. A vulnerability assessment evaluates your administrative and technical controls as described. It evaluates whether or not your security program is well-postured to address threats. It asks questions about how often you apply security patches, if you have an incident response program, if you enforce access and authorization controls, and other procedures.
Penetration testing evaluates the effectiveness of the procedures you have in place. A penetration tester will scan for vulnerabilities arising from unpatched assets, circumvent your alerting and incident response program from activating, leverage your access control process to gain elevated privilege, and exploiting other controls to gain access to critical data stores.
In short, the distinction is between validating the existence of processes designed to mitigate an attack and validating the efficacy of those processes to actually mitigate an attack. Penetration testing is ineffective to gauge the former, but very effective in testing the latter.
For more, see Penetration Testing vs Vulnerability Assessments.
When You Don’t Need a Pentest
Never. Since that’s a double-negative: you always need a penetration test.
Penetration tests even have value for small companies. If you have a product or service on the market that interacts with client data and mandates the implementation of security measures to protect that data, then a penetration test will maximize your protection of that data. If, instead you’re still developing a product or service, wait until you have a final product before engaging in a full-blown penetration test. You’d likely be better served by doing architectural reviews and validation through testing before you have a product ready to market.
How do you get the most bang for your buck from a penetration test? When you’ve made significant changes to a computer system or application. Those changes can be cumulative over time or a significant point in time change like a major upgrade or new system implementation.
Note: See our comprehensive article on penetration testing costs for more information.
You can run continuous penetration testing, but without material changes, the penetration tester won’t have any recommendations for improvement or additional findings. That isn’t a waste of money by any means, but it’s not maximizing your penetration testing budget. At that point, the penetration test is validating that while improvements haven’t been made, you’re not backsliding.