Contact Us

Cyber security
penetration testing:
build or buy?

Author: Phil Muncaster

Last year, the US National Vulnerability Database recorded more than 18,000 software bugs—the most it has ever recorded. That illustrates the monumental task organizations face in securing their IT systems. Cyber security penetration testing can help your organization better manage and minimize its cyber risk.

But a key question is whether to build out your in-house penetration testing capabilities or to outsource them to an expert third party.

What is cyber security penetration testing?

Cyber criminals are bankrolled by an underground economy that's larger than many countries' gross domestic products. They have the knowledge and tools they need to exploit vulnerabilities, monetize attacks and launder their spoils. They only need to get lucky once—and they have the crucial element of surprise. IT security teams must be hypervigilant against an agile, unpredictable foe.

So what is cyber security penetration testing, and how can it protect your organization from such well-resourced and sophisticated attackers?

Cyber security penetration testing lets you adopt a proactive security posture. By engaging an in-house or external team to think and act like cyber criminals and evaluate your security environment, you can identify where your defense needs patching.

This isn't necessarily just about discovering software vulnerabilities. Penetration tests also probe for:

  • Weak passwords
  • Misconfigured systems
  • Poorly trained users susceptible to phishing attacks
  • Deficient threat detection and response tools

What do you stand to lose?

Penetration tests can help determine the real-world impact of cyber attacks and any security and compliance gaps—including your own IT team's ability to defend.

Without this insight, your IT security team is flying blind, trying to second-guess where vulnerabilities are and how attackers might leverage them.

In practical terms, a preventable incident could cause major financial and reputational damage, including:

  • Staff downtime
  • Operational outages (e.g., ransomware)
  • Customer churn
  • Brand damage
  • Falling share prices
  • Legal costs
  • Incident remediation, cleanup and forensic costs

The Verizon 2020 Data Breach Investigations Report found that 86% of incidents were financially motivated. If you're not prepared to protect your business, it could cost you.

Outsourced or in-house?

Though your in-house cyber security team should scrutinize the scoping and final review of any penetration test, you might not want to build the capability for testing internally. Here are some key considerations.

  • Budget. Comprehensive penetration testing requires a sizable team with a broad skill set. Maintaining this team isn't cheap—especially as they will need to keep their accreditations and certifications up to date.
  • In-house resourcing. Critical skills shortages might make it challenging to source the right people for your penetration testing team, especially if they don't already work for you. Recruitment is only half of the battle; you will also need to spend time, money and effort to keep them.
  • Regulations and risk. Industry regulations might require your penetration testers to hold specific accreditations and certifications. You might also want to seek risk-based assurances before engaging third-party providers, given the data and systems they will have access to.
  • Impartiality. The National Institute of Standards and Technology requires penetration testing teams to be free from conflicts of interest about the systems they test.  Such conflicts can arise when testers are part of the IT department that built the systems subject to testing.
  • Post-testing change management. In-house teams might be better at enhancing system security, as they have firsthand experience running penetration tests and greater “company context.”

Discover how a managed services provider can strengthen cyber attack detection and recovery through penetration testing.