“[High quality attackers] are paid only if they make it through your defenses,” Los said. “I got a news flash for you kiddo: they’re going to make it through your defenses. It’s not a question of if, because if they can’t through by penetrating your website, they’ll try your partners, they’ll try your vendors. Worst case scenario, they’ll get hired in your call center and steal data that way. How do I know? I’ve watched it happen, it’s very real and it sucks.”
Validation is an absolute requirement when it comes to a security program. The organization’s defenses, responses, and technology, must all be validated. And true validation comes from being attacked realistically. This is where the notion of a Red Team comes in to play.
Go read the entire article. It is well written and very informative.