Effective penetration assessments can highlight vulnerabilities and help organizations develop plans to address cybersecurity risks. In this second of a two-part series, three Crowe professionals explain how organizations can derive the most value from a pen testing engagement.
The first post in this series offered an overview of the processes and techniques involved in penetration testing – also known as pen testing or ethical hacking – and described what actually happens during pen testing, what testing teams try to learn, and the tactics and techniques target organizations can expect to encounter while hacking attempts are underway.
This post examines the next steps in the process, including how pen testing teams communicate their findings to stakeholders, what organizations should be prepared to do in response to those communications, and other steps organizations can take to get the most value from their pen testing investments.
Unfortunately, the very idea of gaining value from pen testing is often poorly understood or overlooked in some organizations. When pen testing is conducted in response to a specific regulatory or business partner requirement, it is not unusual for management to regard the process as just one more compliance task – and just one more cost of doing business. Yet even if the stated objective of pen testing is regulatory compliance, the process provides significant value by serving as a worthwhile cybersecurity tool and supporting the organization’s overall risk management efforts.