It does not matter how strong you made your security controls and policies, if you have tested to see if it can withstand the doom day attack, then you need to think again. You may need to find out if it meets your expectation or other industry standards. Penetration testing can be considered as an additional security defense layer that can be used to verify the security controls in an organization. Imagine how much your organization’s reputation or your personal asset means to you. Can you put a dollar amount to reputational damage, fine from a compliance agency, loss of revenue, or even complete loss of business, which may result in business discontinuity? Can you imagine how much it will cost to recover from a cyberattack even if the business survives the attack?
Many organizations spend their IT budgets on the wrong technology infrastructure. Would you consider knowing where to spend your IT budget? Even when an organization makes the right expenditure on the right IT infrastructure, would it not be competitive to protect those infrastructures? What would your customers do if they have the slightest reason to believe that their personal information is not secure with your enterprise systems? I do not know of any organization that looks good immediately after a cyberattack. I mentioned in the last episode on security challenges in eLearning systems that some organizations have a mandatory requirement to maintain a penetration testing procedure. The fact that your organization did not have a mandatory compliance requirement to conduct penetration testing does not mean that it is safe for your organization not to use penetration testing to verify their security defense. Penetration testing will enable an organization to learn and understand any vulnerability or potential vulnerability in their computing systems.