Pentesting as part of an organizational security program

by Daniel Brecht on July 16, 2019

Introduction

Robust IT security programs are a must for any organizations that rely more and more on information system infrastructures to manage data, activities, business procedures and relations with clients. As so much is stored and processed through a company’s IT systems, no business, regardless of size and type of industry, is safe from attackers and malicious hackers.

A comprehensive approach is needed to help protect a network from cyber-related incidents before they occur. This must be a multi-faceted approach, including a variety of information assurance (IA) practices, tools, policies and procedures.

Medium-to-large companies often employ internal IT security teams that can perform risk analysis and incident detection activities to devise effective incident response plans and procedures. They often use automated tools to perform vulnerability scanning tests and also dedicate themselves to users’ education and awareness. In addition, they conduct formal audits to cover all relevant areas of their action plans and test them periodically to ensure all parts run smoothly and to correct deficiencies and weaknesses. Some companies decide to employ the services of outside consulting companies in place of or to complement the work of internal teams.

Regardless of who an organization decides to entrust with the security of its IT infrastructure, an important component of a security program should be pentesting. This type of security review has become a best practice and can address corrective efforts for IT security weaknesses. Pentesters perform scenario-based testing on a variety of applications, platforms and technologies; services are tailored to the needs of clients who want to measure how effective their security posture is and which IT infrastructural changes, if any, are needed to ensure an efficient and effective information security program.