here are some of the Main Penetration Test Benefits:
Improvement of security:
•General improvement of the effectiveness of information security with controls implemented to address real proven vulnerabilities;
•Independent review of your information security management system;
•Increased awareness of security and how controls can be circumvented and vulnerabilities exploited;
•Advice provided to address identified security problems.
Good governance:
•Awareness and empowerment of personnel regarding information security;
•Decrease of lawsuit risks against upper management in virtue of the ‘‘due care’’ and the ‘‘due diligence’’ principles;
•The opportunity to identify the weaknesses and to provide corrections;
•If linked with a good Information Security Management System (ISMS) the opportunity to increase of the accountability of top management for information security.
Helps in the effort to be conformant with:
• ISO standards;
• OECD (Organization for Economic Co-operation and Development) principles;
• Industry standards, example: PCI-DSS (Payment Card Industry Data Security Standard), Basel II (for the banking industry);
• National and regional laws.
•Customer contractual requirements.
Cost management:
•Decision makers often ask to justify the profitability of projects or security control and demand concrete and measurable return-benefits. A new financial evaluation concept has emerged to treat specifically the information security field: Return on Security Investment (ROSI). ROSI is a concept derived from Return on Investment (ROI). It can be interpreted as a security controls financial profit taking into account its total cost over a given period of time.
•Understanding the clear risks by analyzing the results of a well constructed penetration test can help in the selection of the correct and most effective controls which will address the real business risks and issues.
Customer and partner assurance:
•Differentiation provides a competitive advantage for the organization;
•Satisfaction of requirements of customer and/or other stakeholders;
•Meeting customer contractual obligations;
•Consolidating confidence of customers, suppliers and partners of the organization.
Reference: PECB, certified lead penetration test professional