What Drives Organizations to Get Penetration Tests (Hint: The Answer Isn’t Always Security)

Every organization that comes to us for penetration testing is driven by different motives. Our clients come from a variety of industries and range from enterprise level organizations down to start-ups that need testing to receive funding. It would be assumed by many that organizations with web and mobile applications desire an ultra-secure application and that is the main driver of their decision to get security testing, but most organizations have limited resources and it often can come down to making payroll or getting a pen test.

So what drives an organization’s decision to secure a penetration test?

Legal Requirements
At the top of the list are those organizations that are legally required to get the applications and networks tested. These are the financial institutions, healthcare providers, and government agencies. Those that must, will.

Client Requirements
There are also companies whose clients require them to get testing done and if they don’t, they will either be in breach of their contract or will not receive the business of that client. Their clients are either security conscious by internal policies that the leadership have put in place or, more likely, they fall into the previous scenario of needing to adhere to government regulations such as DFARS, NIST, or HIPAA. Similarly, organizations are often required by their investors and venture capital firms to get testing done to keep the funds rolling in. In both cases, they have to get testing done for business to continue.

It’s Just Good Business
Other organizations aren’t forced to get testing done by their clients, investors, or the government, but are driven for other reasons that just make good business or organizational sense. Many organizations are simply security focused and have a desire to create a security conscious culture within their organization. These are groups that could be severely damaged by a security breach if it were to occur or become public, pitch their secure posture as a selling point, or simply want the assurance and peace of mind that their offering or tool is safe from critical vulnerabilities. These are all great reasons to get testing done and are some of our favorite clients to work with because their commitment to security matches ours.

Many, but not all of these organizations, also have internal security teams that run both automated and manual tests constantly, but they turn to us because they want an outside perspective on their applications and networks or are required to have third party validation. We have clients from all sectors who have difference challenges with varying degrees of complexity and needs. Since our testers have seen so many different vulnerabilities and holes in the tests they have completed, our clients find getting a test from us often reveals vulnerabilities and security issues that hadn’t yet been identified. Just as an author relies of proof readers and editors to ensure their latest publication is free from errors and mistakes, organizations come to use to review their source code, and double-check for cross-site scripting, security misconfigurations, and other known vulnerabilities. With many companies providing new releases daily or weekly, it is nice to have an outside set of eyes complete a review.

Using a security consulting company like Caliber Security Partners can actually save companies money as well! Some groups can’t afford to have an internal team and for them it makes more sense to outsource their security testing and initiatives to us. Paying a salary and benefits to just one security engineer could cost anywhere from two to four of five times more than getting their applications tested periodically by us. Not only do they save money, but they also receive the technical expertise of a firm that performs hundreds of tests per year. This also adds flexibility, which is extremely valuable, as testing needs often aren’t consistent and hiring a full-time tester can be impractical. Why pay a security engineer to test occasionally, but have them spending the bulk of their time doing system administration?

Staff Augmentation
Customers also come to us to help with a push that is needed for an upcoming release or to get an application out sooner, and their current staff doesn’t have the capacity to perform all the testing needed to have the release come out on time. Sometimes organizations severely underestimate the testing needed and turn to us to augment their staff. A typical security staff augmentation opportunity runs for around three months, but can often continue for years. It makes more sense for a company to turn to us for these short-term needs because they don’t have the time to recruit, interview, negotiate, wait weeks to months for them to quit their current job, train, and get up to speed and familiar with the project. Meanwhile, they could have just come to us for one our consultants and had someone on the project as quickly as they would like. Flexibility to adjust to the needs as they ebb and flow is very valuable to our clients.

In summary, the reasons that organizations come to us are generally driven by:

  • Government mandates and regulatory compliance
  • Client requirements and assurances
  • Investor and venture capital demands
  • Organizational security decisions and initiatives
    • Public image
    • Intellectual property
    • Security as a selling point
    • Peace of mind
  • 3rd party perspective / review
  • Expert opinion
  • Money saving
  • Flexibility
  • Capacity Overflow
  • Staff Augmentation

Have a need for security testing? Email us at info@calibersecurity.com or fill out a contact form on our contact us page. We would love to have a talk about your security needs and issues. Let’s connect to help solve whatever security problems your organization is facing.

Every organization that comes to us for penetration testing is driven by different motives. Our clients come from a variety of industries and range from enterprise level organizations down to start-ups that need testing to receive funding. It would be assumed by many that organizations with web and mobile applications desire an ultra-secure application and that is the main driver of their decision to get security testing, but most organizations have limited resources and it often can come down to making payroll or getting a pen test.

So what drives an organization’s decision to secure a penetration test?

Legal Requirements
At the top of the list are those organizations that are legally required to get the applications and networks tested. These are the financial institutions, healthcare providers, and government agencies. Those that must, will.

Client Requirements
There are also companies whose clients require them to get testing done and if they don’t, they will either be in breach of their contract or will not receive the business of that client. Their clients are either security conscious by internal policies that the leadership have put in place or, more likely, they fall into the previous scenario of needing to adhere to government regulations such as DFARS, NIST, or HIPAA. Similarly, organizations are often required by their investors and venture capital firms to get testing done to keep the funds rolling in. In both cases, they have to get testing done for business to continue.

It's Just Good Business
Other organizations aren’t forced to get testing done by their clients, investors, or the government, but are driven for other reasons that just make good business or organizational sense. Many organizations are simply security focused and have a desire to create a security conscious culture within their organization. These are groups that could be severely damaged by a security breach if it were to occur or become public, pitch their secure posture as a selling point, or simply want the assurance and peace of mind that their offering or tool is safe from critical vulnerabilities. These are all great reasons to get testing done and are some of our favorite clients to work with because their commitment to security matches ours.

Many, but not all of these organizations, also have internal security teams that run both automated and manual tests constantly, but they turn to us because they want an outside perspective on their applications and networks or are required to have third party validation. We have clients from all sectors who have difference challenges with varying degrees of complexity and needs. Since our testers have seen so many different vulnerabilities and holes in the tests they have completed, our clients find getting a test from us often reveals vulnerabilities and security issues that hadn’t yet been identified. Just as an author relies of proof readers and editors to ensure their latest publication is free from errors and mistakes, organizations come to use to review their source code, and double-check for cross-site scripting, security misconfigurations, and other known vulnerabilities. With many companies providing new releases daily or weekly, it is nice to have an outside set of eyes complete a review.

Using a security consulting company like Caliber Security Partners can actually save companies money as well! Some groups can’t afford to have an internal team and for them it makes more sense to outsource their security testing and initiatives to us. Paying a salary and benefits to just one security engineer could cost anywhere from two to four of five times more than getting their applications tested periodically by us. Not only do they save money, but they also receive the technical expertise of a firm that performs hundreds of tests per year. This also adds flexibility, which is extremely valuable, as testing needs often aren’t consistent and hiring a full-time tester can be impractical. Why pay a security engineer to test occasionally, but have them spending the bulk of their time doing system administration?

Staff Augmentation
Customers also come to us to help with a push that is needed for an upcoming release or to get an application out sooner, and their current staff doesn’t have the capacity to perform all the testing needed to have the release come out on time. Sometimes organizations severely underestimate the testing needed and turn to us to augment their staff. A typical security staff augmentation opportunity runs for around three months, but can often continue for years. It makes more sense for a company to turn to us for these short-term needs because they don’t have the time to recruit, interview, negotiate, wait weeks to months for them to quit their current job, train, and get up to speed and familiar with the project. Meanwhile, they could have just come to us for one our consultants and had someone on the project as quickly as they would like. Flexibility to adjust to the needs as they ebb and flow is very valuable to our clients.

In summary, the reasons that organizations come to us are generally driven by:

  • Government mandates and regulatory compliance
  • Client requirements and assurances
  • Investor and venture capital demands
  • Organizational security decisions and initiatives
    • Public image
    • Intellectual property
    • Security as a selling point
    • Peace of mind
  • 3rd party perspective / review
  • Expert opinion
  • Money saving
  • Flexibility
  • Capacity Overflow
  • Staff Augmentation

Have a need for security testing? Email us at info@calibersecurity.com or fill out a contact form on our contact us page. We would love to have a talk about your security needs and issues. Let’s connect to help solve whatever security problems your organization is facing.