Companies face many challenging questions when maturing their security programs, the answers of which are rarely straightforward. One of the most important decisions security leaders need to make is whether to build an in-house penetration testing capability.
Defining Pen Testing
When it comes to the definition of penetration testing, it seems every company has its own. Most use it as a generalized term to describe any type of security audit or testing activity. Security professionals, however, would describe penetration testing as an exercise to evaluate particular attack scenarios with a specific, predefined outcome. They would also emphasize the clear difference between configuration review, vulnerability assessment, red teaming and penetration testing.
For the sake of common perception, I will use the term pen testing to denote the entire set of technical assessment activities security leaders can leverage to achieve security assurance.
When it comes to the cybercrime landscape, what was once perceived as a game of cat and mouse has grown into a full-fledged battle between security leaders and organized, sometimes state-sponsored, criminals. These criminals launch new attacks every day against increasingly complex IT infrastructures. This necessitates security testing for businesses of all sizes. Due to the growing demand for pen testing, many companies are considering bringing this capability in-house.
Among the most obvious benefits of in-house pen testing is easier integration in the change management process. With more in-depth knowledge of the design and architecture of enterprise systems, an internal assessment team can suggest plausible attack scenarios. The pen testing team members could also be integrated as SMEs to advise on security requirements early in the system life cycle.
Another benefit is shorter response time. Depending on the internal organizational structure and engagement process, in-house analysts can respond to requests for pen testing much faster than external testing providers.
In-house pen testing also offers increased team focus and a higher level of coverage at a lower cost. An internal testing team could examine additional environments that an external team might not test due to cost concerns.
Convenience always comes at a cost. An in-house security assessment team could come with a hefty price tag.
Segmentation and Specialization
It is great to have well-prepared technical people who know how to test the organization’s security controls in the most appropriate way. But keeping your army ready to act might require some budgetary gymnastics.
The IT field is becoming more and more segmented, making it almost impossible to find well-rounded professionals who know electronics, networks, applications, mobile and cloud inside and out. An internal testing capability includes a team of people, each with their own specialization. Many of these professionals will be able to work outside their area of specialization, but they won’t be as effective as someone with that specific skill set.
It is also important to consider redundancy, or how to remain operational while meeting testing demands in difference cases of absence.
Training and Accreditation
To keep your team current with the constantly evolving cyberthreat landscape, you will need to splurge for expensive trainings. In addition, new regulations require testing to be performed by accredited security professionals. Certifying your team will come at an additional cost.
Retention and Morale
The shortage of skilled professionals in the cybersecurity field is well documented and sure to affect the industry for the foreseeable future. That means recruiters are likely after your most qualified and highly trained employees, bombarding them with tempting offers.
It’s more important than ever for security leaders to maintain high levels of morale and motivation to keep the team together. Security professionals usually expect flexible work hours and locations, ample research time, extensive training, participation in conferences and more. Team leaders must know how to manage these expectations.
Automating Security Testing
Over the past 20 years, researchers and developers have endeavored to automate security testing as much as possible. Today, pen testing teams can leverage tools such as network scanners, dynamic and static code analysis tools, reverse engineering tool kits and more. Some tasks can be automated with open source and free tools, but commercial tools provide a level of efficiency security teams need to meet the growing demand for pen testing.
When planning and implementing internal testing capabilities, organizations often overlook the infrastructure supporting the testing operations. Bear in mind that the testing team will need to collaborate and share highly sensitive data, and this information will need to be stored as evidence. Data retention is essential, and the server infrastructure should be able to support it.
The Hybrid Model
Organizations may consider adopting a hybrid model to balance the expense of building and maintaining a full-fledged security assessment team and the benefits of establishing internal testing capabilities.
The most optimal solution may be to build an internal security assessment center and hire or train a limited number of security assurance specialists with intimate technical knowledge of your systems. This team should use hands-off resources to offer advice, outline a plan to meet a given testing objective, communicate with internal stakeholders and third-party providers to clarify the scope of the engagement, oversee the execution and relay the final results.
Some organizations might decide to equip internal teams with a pool of hands-on resources with which to perform limited testing. In most cases, however, the actual hands-on job is outsourced to specialized service providers.
To summarize, organizations stand to gain much by establishing in-house pen testing capabilities. Pros include:
- The option to select from a wider pool of trained and accredited security testers; and
- The option to rotate experts for a fresh pair of eyes.
This convenience doesn’t come without a cost, however. Cons of in-house pen testing include:
- Extended time for preparation;
- Additional expense; and
- The need to establish well-defined attack objectives when complex enterprise systems are targeted.
There are numerous incentives to establish an in-house pen testing team, most notably the cost-saving benefits. There are, however, many not-so-obvious considerations organizations tend to overlook that could render such a team ineffective. When considering in-house pen testing, security leaders should explore all the available options and reach out to trusted security experts for advice.