"Penetration Test" under the magnifying glass
Media reports or incidents in the industry prompt decision-makers to have the IT security in their companies checked. They often consider a "penetration test". However, such a test is not always effective. A risk analysis creates clarity.
If executives are sensitized due to current threats, they want to know how their company is positioned in terms of IT security. A so-called "penetration test" is therefore an obvious choice for them. IT consultants are challenged by such a request, because they are faced with the dilemma: Should the request be addressed directly and the desired test carried out? Or should the customer's motives and expectations be asked first?
Understanding the motivation
If the IT consultant asks, he will find out the actual reasons for the request. However, a query also offers the customer the chance to reflect on his request. The goal is to gain an overview of the situation in order to support the customer in his request as best as possible. A "penetration test" is only one possible measure. It serves to identify weak points in the outer perimeter, i.e. at the border between internal and external networks. Without a clear framework, however, it is not sustainable because it is merely a snapshot.
Viewing the entire ICT
It is therefore necessary to fathom the organization and responsibility within information technology as well as existing rules and processes. This raises questions such as: Does the customer have IT governance? Is there an ICT strategy? Does it attach the necessary importance to IT security? Do directives and rules exist that provide a framework that IT must comply with? Are threats systematically recorded and assessed? The answers paint a differentiated picture. It also shows whether the customer's request for a "penetration test" was ad hoc or systematic.
Purpose of the "Penetration Test
As a measure, a "penetration test" uncovers security gaps in ICT systems. The focus is on contact with external networks and business partners. The measures derived from the test results should prevent an intrusion into the ICT infrastructure or at least make it more difficult. Provided that the gaps found are threatening for the company.
Risk analysis recommended
A systematic, risk-oriented approach helps to identify potential threats of all kinds. In a risk analysis, their impact on the company is estimated on the basis of scenarios. Risks are thus identified, evaluated and assessed: how likely they are to occur and what costs they would cause. Relevant threats are recorded in a risk register. In this way, measures can be prioritized and effectively implemented with a view to more highly weighted risks.
After the risk analysis and the security measures that result from it, the customer will formulate a clear order for the "Pe-netration Test". Because now he knows the possible effects on the ICT infrastructure. And he knows how he wants to deal with the results and at what intervals the test should be repeated.
Actively confronting change
Today, business and technology are changing dynamically: globalization and networking are increasing complexity. This constantly gives rise to new dangers, but also opportunities. The challenge is to systematically face the dangers and, at the same time, to take advantage of the opportunities that arise from the use of information and communication technology. In doing so, included risks and consciously entered restrictions have to be taken into account. Without governance of the risks, spontaneously triggered actions - such as an unreflective "penetration test" - are more like token exercises without long-term benefits.
