“Pen tests should aim to prove something organisations can fix through changing the security culture,” he told information security professionals attending (ISC)2 Security Congress 2013 in Chicago.
According to Winkler, the job of an information security professional is to make things more secure, so the purpose of any penetration test should be to identify security gaps that can be closed.
“They should be looking for problems that can be mitigated in a cost-effective way, and that are worth the effort,” he said.
But without having a clear goal of changing security behaviour by proving some specific failure, pen tests rarely address underlying security issues.
More on pen testing:
Web application security testing: Is a pen test or code review better?
“In practice, the situation often stays the same, and even deteriorates in some cases, indicating that without clear goals, a pen test can be a waste of time and money,” said Winkler.
“Find issues that need to be solved, determine the root behaviours that need to be modified, and design an awareness programme to raise the bar,” he said.
Winkler believes pen tests should be about deeper vulnerability assessment, a chance to see the reality of security as it is practiced, and about identifying consistent vulnerabilities across an organisation.
The importance of mitigating the vulnerabilities must also be expressed in terms the business can understand such as lost production or diminished investor confidence.
“Expressing the risk of a vulnerability in terms of potential loss to the business is the best way of getting budget for mitigation,” said Winkler.
To ensure a positive change in security behaviour, he said, infosec professionals should use pen testing to measure the strength of an organisation and then deploy methods to improve behaviour.
“Then measure the effectiveness of those methods by testing again to see if employees do the right thing by default, which should be the goal,” said Winkler.
There is no such thing as perfect security; it is about risk management, and through awareness training, he said the information security professional should aim to raise the bar as high as possible.