We can file this away as a million dollar question for technology leaders and executives. While there is no right or wrong answer to this question, we recommend an annual security assessment that includes penetration testing. There are also actions that can be take throughout the rest of the year between assessments to help secure your organization and get more value out of those annual assessments. To answer the question of how often should my company get a penetration test, there are a few factors to consider:
Penetration Testing Frequency Drivers
- Compliance – With each different compliance driver comes a different timing requirement. For instance, PCI requires annual penetration testing and quarterly vulnerability scanning. You or your compliance team should thoroughly review your compliance requirements to make sure your current testing schedule matches up.
- Business Drivers – There are many different business reasons that could determine the need for penetration tests. If you just had you required annual penetration test and go through an architectural overhaul 3 months later, we would highly recommend getting another penetration test completed. Or maybe you’ve got customers that want to see documentation that you’re performing security testing on an ongoing basis.
- Feasibility – In a perfect world, we would be able to constantly conduct security assessments, seeking out and detecting vulnerabilities in real time. This just isn’t possible due to time, scheduling, and budgetary constraints. As a company, you need to determine with the resources you have on hand and your security budget, how often a penetration test makes sense for you. This should account for how long it takes for your security and IT teams to address the findings from previous assessments, as well.
As constant penetration testing is most likely out of the question for your company, there are a few things that can be done to continue to help you monitor your network and help protect your assets:
- Vulnerability Scanning – This can be done more frequently than a standard penetration test and can assist in identifying and eradicating known vulnerabilities that could be lurking on your network. Quarterly scans can be cost effective and get rid of the “low-hanging fruit”.
- Security Awareness Training – As we have discussed previously, your external perimeter could be perfectly secure, but one employee can click a malicious link and that all goes out of the window. By constantly keeping your employees engaged and security aware, you can help prevent your company from falling victim to a hack.
While all companies are different, we recommend that your company lay out a strategic security plan that makes sense for you. Using the factors above, part of that plan should be a security assessment schedule to help calculate your risks and help inform your resource allocations for other security tools and activities. At the end of the day, any penetration testing is better than nothing and will ultimately help your company become more secure than it otherwise would have been.