Answering a CEOs Penetrating Question
It can begin with a friendly lunch conversation with your bossIt can begin with a friendly lunch conversation with your boss. "Hey, did you hear Egghead and Travelocity got hacked?" you begin. "Yeah, with credit card numbers lifted and everything," says the boss. "Dont worry, Boss, our security is solid." "How can you be sure? Have we ever tested it?" Suddenly, youre faced with the delicate task of finding someone to do a coherent penetration test on your enterprise. But where do you begin? A properly conducted penetration test can yield tremendous benefits. It can reduce the possibility of financial losses and corporate embarrassment by providing tangible evidence of exposures before they are exploited. Such efforts can teach some real-life lessons to in-house IT staff and facilitate continual security improvement while demonstrating due diligence for publicly held or heavily regulated organizations.
But its important to have a sense of the good, the bad and the ugly of penetration testing going in. For one thing, its important that your organizationand your security vendorapproach a penetration test with the correct mind-set. Penetration testing is not intended to benor can it bea full security assessment. Even if you pass unscathed, it is no guarantee of security. And it is not an alternative to other prudent security measures such as conducting continual, companywide assessments and having appropriately trained internal staff.