Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Career Intelligence
    • Cyber Tactics
    • Cybersecurity Education & Training
    • Leadership & Management
    • Security Talk
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Interactive Spotlight
    • Photo Galleries
    • Podcasts
    • Polls
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecurityManagementSecurity Enterprise ServicesSecurity Leadership and ManagementLogical SecuritySecurity & Business ResilienceCybersecurity News

Penetration testing: A needed defense against cyber threats

By Tom Brennan
cyber-leaders-freepik1170.jpg
April 28, 2022

Historically, mainly due to legal or regulatory requirements, the public sector, utilities, pharmaceutical companies and financial institutions — all involved in processing sensitive data — have been the predominant users of penetration testing. However, an increasing array of organizations now conduct penetration testing, not just for compliance reasons, but because of the online nature of nearly all businesses today and the increasing threat from real cyberattacks. 


A penetration test, or pen test, uses a variety of manual and automated techniques to simulate an attack on an organization’s information security architecture — either from malicious outsiders or from insider threats. It generally falls into two categories: applications (including mobile) and devices, and infrastructure, including servers, firewalls and hardware.


Built around a manual testing process, pen testing is intended to go much further than the generic responses, false-positive findings and lack of depth provided by automated application assessment tools (such as those used in a vulnerability assessment). Through simulations and linking together potential vulnerabilities in new ways, pen testing gives organizations a valuable deeper dive into where their vulnerabilities lie and uncover ones that may not have been previously evident.


For organizations who have not executed pen testing, it’s advisable to consider the practice in three steps: 


1.) Getting Ready: Considering the drivers for testing; the purpose of testing, and target environment and appointing suitable suppliers to perform tests.


2.) Testing in Action: Conducting penetration tests enterprise-wide, approving testing style and type; allowing for testing constraints; managing the testing process; planning for and carrying out tests effectively; as well as identifying, investigating, and remediating vulnerabilities


3.) Follow Up: Carry out appropriate follow-up activities, remediating weaknesses, maintaining an improvement plan, and delivering an agreed action plan.


Here are some of the key considerations for each step:


Getting Ready. Deciding what an organization wants to test can lead to time-consuming debate and stall getting pen testing underway. Many organizations help simplify the decision-making process by using the services of a trusted, specialist organization to help them define the scope of the test, identify requirements, and develop a management framework. Often, these highly experienced specialists continue to conduct the testing based on the pre-approved scope. 


A third-party specialist can provide more experienced, dedicated technical staff who understand how to carry out penetration tests effectively. The specialist can also perform an independent assessment of security arrangements before carrying out a full range of testing (e.g. black, white or grey box; internal or external; infrastructure or web application; source code review; and social engineering).


In evaluating third-party providers, look for a trusted, certified external company that employ professional, ethical and highly technically competent individuals. CREST, for example, is a penetration testing certification organization whose members fully meet these requirements, having been awarded the “gold standard” in penetration testing. They build trusted relationships with their clients by adhering to these high standards.


Working with a third-party provider, a senior management team should be appointed with responsibility for establishing and overseeing the penetration testing program, ensuring that it meets business requirements, and the scope of testing is agreed upon.


Organizations sometimes want to adopt an ad hoc or piecemeal approach, often depending on the needs of a particular region, business unit — or the IT department. While this approach can meet some specific requirements, it is unlikely to provide real assurance about the security condition of a system across the enterprise. Consequently, it is more effective to adopt a systematic, structured approach to penetration testing as part of an overall testing program, ensuring that business requirements are met, major system vulnerabilities are identified and addressed quickly and effectively, and risks are kept within acceptable business parameters.


Testing in Action. Basic actions before beginning pen testing are determining the depth and breadth of testing; what type of pen testing is required, the critical assets and infrastructure elements to be analyzed, and setting the organization’s tolerance for disruptive risks caused by testing. These risks include potential system failure and exposure of sensitive data.


Another important aspect is keeping current on business processes, applications, end user environments and other IT systems, so that pen testing is conducted early enough in a project’s lifecycle to be effective and identify new vulnerabilities.


Pen testing itself is evolving. An emerging practice is combining Red Teaming and Blue Teaming during testing. Red Teams go beyond the network infrastructure or applications to identify potential weak points and string together seemingly unrelated vulnerabilities to create composite attack scenarios. By doing so they challenge the organization’s assumptions around security. Blue Teams can focus on defending against Red Team attack simulations. Combining the two offers new insights into vulnerabilities that may not have been on the radar before. Blue Teams can also conduct defense analysis of patch management and perform other security evaluations to allow pen testing to find more in-depth issues.


One cautionary note: Pen testing is not a panacea for an overall weaker security infrastructure. It covers just the target application, infrastructure or environment that has been selected. Before engaging in pen testing conduct a reality check of your cyber hygiene: are your malware protection, firewalling, system/ network patching and vulnerability assessments all up to speed?


Follow-up Principles and Practices. Once each penetration test is complete — and any identified vulnerabilities have been addressed — it can be tempting to draw a line under the process and return to business as usual. However, to reduce risks both in the longer term and across the whole organization, it is useful to carry out a range of follow-up activities. The immediate need is to conduct any remediation of weakness uncovered, identify the root causes of these vulnerabilities, then take action. Since the organization is continually changing its IT infrastructure and application usage, pen testing results can help define the next appropriate round of testing. 


Lastly, a common mistake organizations make is assuming, that by fixing vulnerabilities uncovered during a penetration test, their systems will then be ‘secure.’ As one executive said, “Organizations should not describe themselves as secure — there are only varying degrees of insecurity.”


It’s smart to think of IT security infrastructure as a constantly moving target for cyberattacks and continue to use pen testing as part of the cyber defense tactics to improve security.

KEYWORDS: cyber security penetration testing risk management security operations

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Tom brennan

Tom Brennan is the Chairman, Executive Director Americas for CREST, an international not-for-profit accreditation and certification body that represents and supports the technical information security market. In this role, he works with government and commercial organizations to optimize the value of CREST as a cybersecurity accreditation body and industry standards advocate. Brennan also serves as the CIO for the law firm Mandelbaum Barrett PC and is an industry evangelist and educator on the value of using accredited cybersecurity products and professionals to improve consumer privacy, security and protections worldwide.

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Cyber tech background

    Security’s Top Cybersecurity Leaders 2026

    Security magazine’s Top Cybersecurity Leaders 2026 award...
    Top Cybersecurity Leaders
  • Iintegration and use of emerging tools

    Future Proof Your Security Career with AI Skills

    AI’s evolution demands security leaders master...
    Security Education & Training
    By: Jerry J. Brennan and Joanne R. Pollock
  • The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report

    The 2025 Security Benchmark Report surveys enterprise...
    The Security Benchmark Report
    By: Rachelle Blair-Frasier
Manage My Account
  • Security Newsletter
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Hand reaching up out of the ocean

What I Learned About Burnout the Hard Way (and How to Actually Fix it)

Broken wet floor sign

Why Response Time Is Becoming the Missing Metric in Workplace Safety and Security

Paparazzi

When Private Events Become Public Infrastructure: What Celebrity OSINT Teaches Security Leaders

Cyber Tactics

AIBOMs: Bringing AI Security Out of the Shadows, A Practical Guide for Security Professionals

Medical professional

Nearly 85% of Nurses Experienced Workplace Violence in the Last Year

Kaseware sponsored webinar
Schneider Electric sponsored webinar

Events

August 25, 2026

Critical Infrastructure Security Is National Security: Protecting Essential Operations in an Era of Escalating Risk

LIVE: August 25, 2026 at 2 PM EDT Learn why critical infrastructure security has become a national security imperative, and the strategies organizations can adopt to improve visibility, collaboration, and response across their security operations.

August 27, 2026

Leveraging AI & Mobility to Advance Your Security Domain

LIVE: August 27, 2026 at 2 PM EDT Explore how AI-driven cloud security solutions can elevate your security domain enhancing threat detection, streamlining operations, and delivering the resilience modern organizations demand.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products


Alertmedia sponsored webinar

Related Articles

  • cyber security freepik

    The fight against cyber threats requires a public-private partnership. Here’s how to get it done.

    See More
  • doctor

    Healthcare workers remain on the front line: Now against cyber threats

    See More
  • Ukraine

    Protecting against cyber threats during the Russia-Ukraine conflict

    See More

Related Products

See More Products
  • Physical Security and Safety: A Field Guide for the Practitioner

  • 1119490936.jpg

    Solving Cyber Risk: Protecting Your Company and Society

  • 9780367339456.jpg.jpg.jpg

    Cyber Strategy: Risk-Driven Security and Resiliency

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • Newsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2026. All Rights Reserved BNP Media, Inc. and BNP Media II, LLC.

Design, CMS, Hosting & Web Development :: ePublishing