How often should you conduct penetration testing?

Problem: Attacks evolve faster than requirements

Just over five years ago, penetration testing -- "pentesting" -- was the subject of articles in IT security journalism posed as a debate whether or not a pentest was even worth doing. A lot has changed in a short amount of time.

Pentesting has mutated rapidly to match a cyber black market packed with highly skilled criminals, government resources, and attack agility that can far outpace even the most moneyed, sophisticated enterprise defenses.

Modern penetration testing is more than a scan, and definitely more than a tick-the-boxes compliance requirement.

I'd say. It is way more than just your PCI, HIPAA or other compliance list.

While some of it is automated, pentesting like you mean it demands hiring a team of the best attackers your money and research can get, and asking them to not just attack, but also to exploit your defenses. Mr. Ford explained, "Organizations seek to understand a malicious view of their organization, their business processes, and the data they have custodianship of, what key systems and infrastructure, may be most exposed to attack, or damaging to their interests."

No, you need to go beyond a pentest. You need a good Red Team. And then allow them to really go at your systems, your networks, you people. A good assessment should touch all the areas: physical, digital and social. It should not stop once the report is presented, it shoul be an ongoing assessment. Sure, it's expensive, but is it worth risking a breach? By actual bad guys?

I think Red Team assessments should be performed all the time, both by an internal Red Team on weekly basis and by an external Red Team at least once a quarter.