In today’s world, massive data breaches and sophisticated malware litter news headlines. Unfortunately, it often feels as though it’s more when your organization will fall victim, rather than if. Still, many organizations choose to only meet baseline compliance requirements and seldom perform penetration testing. Sometimes just being “good” isn’t “good enough.” Not conducting preemptive security assessments is a recipe for disaster, but how often is enough?
When we start talking about the frequency or how often your organization needs to have a penetration test conducted, we need to consider a few variables. Most authorities say that you should test before placing a system or software into production and after any major change. Of course, we all agree those are key milestones that should trigger security testing in any risk management program. Still, there’s more to it than that. It’s less about how often you should test but more about a continuous conversation regarding the ever-changing attacker landscape, your organization’s risk appetite, and general forward thinking.
Attacker Landscape – You understand what’s valuable in your organization; unfortunately, attackers do too. Attackers can range from rogue employees to criminal empires, so understanding the threats against you is critical to your testing regimen. In addition, researching current security trends and the associated threat actor’s behavior can give you a clue as to the depth and frequency of testing required.
Risk Appetite – As the saying goes, “Just enough security is the right amount of security.” It doesn’t make good business sense to spend more on a security control than what you are securing. Instead, strive to put controls in places that give you the most bang for your buck. Keep in mind that risk generally can never be eliminated entirely. Still, you can take measures to drastically reduce the impact or likelihood of an attack. Taking a defense-in-depth approach to protecting your most valuable assets is a great starting point and a best practice.
Forward Thinking – Key business endeavors can often create new attack vectors and invite threat actors you didn’t anticipate. For example, does your organization plan to acquire another business, move into a new industry, or on the verge of an R&D breakthrough? Knowing where your organization is headed can better prepare you by creating a solid foundation for your security program.
Regrettably, risk management isn’t a set-it-and-forget-it activity, and testing cadence is made up of a culmination of decisions. Nevertheless, continuous conversation and review may be what keeps your organization’s brand out of the notorious section of the news tomorrow.
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.