Unfortunately, there is no cut and dry answer to the question of “when is the best time for a penetration test“. As with many nuanced areas of life, the answer is “it depends”. There are many scenarios that could warrant the need for a penetration test and organization-specific situations that could change your needs. Let’s dive into some of the factors for consideration:
- Have you ever had a penetration test completed? If the answer to this is “no”, then we recommend getting a penetration test completed as soon as possible. The initial test will act as a baseline to help you demonstrate an improvement in your security posture over time. It’s always better to understand your risk and know about any security weaknesses than try to fly blind when managing a security program.
- Standing up a new security program? Has your company matured to a point where you are standing up a security program or maturing your internal capabilities? A penetration test will help you understand your potential exposure and assist you in determining where to start on your endeavor or how to prioritize resources.
- Do you have specific compliance drivers? Different regulations, such as PCI DSS, require penetration testing on a regular basis. If this is the case, you want to ensure that you are meetings those requirements to avoid being out of compliance and facing potential penalties.
- Have you recently completed a large infrastructure change? Large technological changes can lead to new or modified attack surface that may have not been thoroughly tested before going into production. We recommend, at a minimum, having a vulnerability scan completed with any major chances. But a full blown penetration test is the ideal way to ensure your company has not opened themselves up to unnecessary risk.
- Have you recently had a security incident? Following a security breach, once the dust has settled and all of the forensic work has been completed, presumably you have determined how the intruders got in and plugged that hole. However, after fixing the vulnerabilities that were exploited for access, you may want to know if there are others that could be uncovered by a penetration test.
- Does one of your vendors, suppliers, or customers require a penetration test? Many contracts these days include language around security program requirements and, more specifically, penetration testing on some frequency. Additionally, penetration testing results can be a great marketing tool or way of demonstrating due diligence for potential clients.
There are other factors that may drive the need for a penetration test but, as you can see from the list above, there is really no perfect time. Other factors like security/IT staff bandwidth can come into play, because someone has to coordinate testing and act on the results. Your organization’s speed of change or software release cycle could also play a role in your testing frequency, causing you to accelerate to semi-annual tests maybe.
Interested in discussing a penetration test? Reach out to us today and we would love to talk further!