Reasons For a Penetration Test

We have clients reaching out for a penetration test with a myriad of different drivers for needing to complete the assessment. Sometimes, clients know what they need and why they need it. Other times, they are looking for coaching as to what they should get done and what that particular test will achieve. Today, we will explore the various different reasons why your firm may need a penetration test, organized in no particular order.

Compliance Requirements

Perhaps the most common driver behind a penetration test is some sort of compliance requirement. While we recommend penetration testing regardless of whether you have a compliance requirement, we understand that it may be tough to get the business justification for the cost. Oftentimes, it is the compliance requirement that ultimately forces the issue and the budget to be committed to the project. Below are the most common compliance drivers we see:

  1. PCI DSS
  2. SOC2
  3. HIPAA/HiTech
  4. FINRA
  5. NCUA

This is not an exhaustive list, as there are many smaller compliance requirements in existence that require penetration testing.

Mergers and Acquisitions

As one could imagine, before purchasing another company, the acquiring company has to complete their due diligence. In this day and age, a company would be naive to not include some sort of cyber security evaluation into their due diligence requirements. In fact, as uncovered during a recent ISC2 report, nearly 50% of the respondents said that something uncovered during a security audit caused a deal to be canceled.

It also behooves the selling company to demonstrate that they take cyber security seriously by showing that they have had a penetration test completed in the past. The reputational and legal costs of a breach can cripple a company.

Vendor/Client Requirement

More and more often we are seeing vendors or clients requiring penetration tests as part of their standard contract agreements. This is to protect all parties involved. As we observed with the Target data breach where the attack originated with a vendor, companies are vulnerable from many different avenues. We have seen large, multi-million dollar deals hinge on the completion and results of a penetration test, proving that they can truly make or break a business relationship.

Best Practice

While we wish we saw more companies reaching out for penetration tests to truly improve their security posture and mature their security programs, we understand that it is often to get the budget for something. As cyber security continues to be in the news and become a focal point on business negotiations, we anticipate an increase of companies having penetration testing completed well before a vendor or client asks for it.

These are the main drivers we tend to see for companies inquiring about penetration testing. Does your company need a penetration test for one of the reasons above or for another reason? Please reach out and we would be happy to discuss.