Maksim Kabakou - Fotolia

Security Think Tank: Pen testing must be followed by action

How can an organisation ensure they get value from penetration and security testing services?

The whole area of securing the IT of a company is generally little understood. A sweeping statement, but given the revelations over the past year or so of major security breaches in some very large and well-resourced companies, it is a statement that does stand.  So what role can penetration and security testing play in improving the security of an organisation?

If the testing is comprehensive, carried out regularly and any issues found quickly corrected then the overall picture of an organisation’s security is greatly improved, although it must be said that testing is not sufficient on its own. It must be augmented with regular staff awareness training.

Comprehensive security testing does not stop at penetration testing, that is testing any outward facing interface such as an Internet connection and/or telephone dial in portal. It must also cover testing of all internal IT resources including infrastructure device, an audit of devices, server configurations and firewall rule-sets.

To get best value from such testing, it should be carried out at least annually (preferably bi-annual or quarterly) and supplemented with more frequent automated security scanning both of the internal infrastructure and any internet connection.  It goes without saying of course that if any identified issues are not corrected then there is no value, only a sense of false security. The value arises from correcting any issues and thus maintaining and/or improving the organisation’s security posture.

Given the public’s heighten awareness of security breaches, letting the customer or client base know that the organisation is taking the issue of security seriously is a positive (marketing) message.  Other values that an organisation gain from testing of its IT is the identification of software, which requires patching, is due to fall out of vendor support and one that is an unplanned instance. 

Unless action is taken to correct any issues then the value of testing is lost.  Indeed, given the rise in the use of virtualised IT coupled with enterprise software licensing, unplanned instances of software can become a reality leading to license issues and a potentially large increase in license costs.

Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management.

Read more on IT risk management