“We've spent all this money on IT security and you're still telling me that you don't know whether our systems are secure?” your CEO might say. In addition, they may challenge that you should know your systems well enough to know their weaknesses? Not really.
Let's say you're a manufacturer of widgets. Even if you have the best machine and the brightest people working for you, you'll still want to ensure that the widgets that leave the factory will work as expected to ensure high customer satisfaction. Software is no different - even the smartest developers hand their code to the QA department to ensure that it's rock solid.
This makes it even more surprising that this approach is not yet widely accepted in the world of IT security. IT systems are more complex than ever: organically grown and connected with the outside world at many points. In many networks, it is very difficult for one individual to have a clear view of all assets. The most talented network specialists can still make mistakes and overlook hard to find security issues. To complicate matters, attackers are increasingly stealthier and the signs of a breach are not always obvious. We need an acid test, a reality check, a quality control for our network's security.
Penetration tests are such a quality assurance test for security to achieve, well, “security assurance”. It verifies that all our firewalls, permission systems, intrusion detection systems, and data loss prevention solutions work as expected.
If you enjoyed this post, you may also like the white paper "How to Justify Your Security Assessment Budget".